Bitaid: A Peer-to-Peer Private Security Protocol

1. Introduction

Bitaid solves six compounding problems: trustless value transfer, censorship-resistant coordination, incentive-aligned escrow, self-sustaining network roles, court-free dispute resolution, and unsuppressible evidence. Each is interlocking — solving any one without the others produces a system that fails at the seams. This paper describes the single mechanism that resolves all six simultaneously.

The coordination gap. The gap between a crime occurring and institutional response has always been filled, imperfectly, by bystanders. The instinct to intervene, to stand witness, to outnumber a threat, is older than law enforcement itself — and in most jurisdictions, legal. The right of a private citizen to detain someone witnessed committing a serious offence predates professional policing by centuries.^[25] What has been missing is infrastructure for that instinct to operate as an open market. Public safety provided as a state monopoly carries no price signal, no competition, and no exit — the structural conditions that prevent adaptation to demand regardless of how dysfunctional provision becomes. Bitaid is designed to function as a coordination layer that works independently of the institution beside it: faster when policing is functional, essential when it is not.

The six problems and how they resolve. Coordinating strangers around high-stakes real-world events requires programmable value transfer that no intermediary can block, freeze, or redirect.^[1] Participants who do not know each other must find each other and propagate alerts in real time without any central server that can be seized or subpoenaed — low-bandwidth alert traffic over Tor, high-bandwidth footage over I2P or equivalent, with no exit node surveillance surface.^[5][6] Economic stakes must attach to that coordination in a way that aligns incentives without trusting anyone to hold the money. Network roles must emerge and sustain themselves without administrative assignment. Disputes must resolve without courts. Evidence must be committed and distributed before it can be suppressed. Bitcoin, conditional escrow scripts, a geofenced Tor DHT, and a content-addressed archival market address each of these in turn — but the mechanism that makes them cohere into a single system, rather than six separate partial solutions, is Proof of Bond with Reputation.

Proof of Bond with Reputation. The bond is refundable personal collateral — an escrow: capital locked in a conditional Bitcoin script at registration and returned intact on honest use, forfeited only on confirmed misuse. It prices entry into every role and makes bad faith costly without taxing honest participants. The reputation is an earned track record across real case history, weighted by calibration coherence and discounted by temporal seasoning — influence that cannot be purchased, only demonstrated over time. Neither component is sufficient alone: a bond without reputation can be overwhelmed by capital; reputation without a bond has no forfeiture mechanism and no entry cost. Together they are Sybil-resistant in the same structural sense as Bitcoin’s proof of work — the cost to attack is real, non-transferable, and compounds against the attacker.

Bitcoin PoW makes chain reorgs prohibitively expensive through irreplaceable energy expenditure that cannot be faked, parallelised, or purchased away from the honest chain. PoB+R does the same with two different inputs. Capital locked in bonds is the economic energy — non-transferable while posted, forfeited on misuse, compounding against attackers who acquire more seats. Accumulated reputation is the proof of work done — influence earned through real case history and calibration compliance over calendar time that no amount of capital can accelerate. The temporal seasoning requirement means a newly created account’s coherence history is down-weighted until ninety days of real participation have elapsed: rep_score × min(1, days / 90). Two thirds of every jury panel must be drawn from rep-qualified accounts. Capital alone cannot buy that majority. In that precise sense PoB+R is a human proof of work, denominated in irreplaceable economic energy and demonstrated labour rather than in joules.

The pool-level gate reinforces the per-account gate. The jury pool is closed by default — no new juror can join unless a slot is explicitly open. Slots open through natural turnover or when sustained queue depth signals genuine undersupply. Entry is merit-selected: applicants compete on coherence reviewing historical calibration cases, pay a market-priced participation fee to BCAEN archival nodes, and lock an intention bond in escrow. The applicant who scores highest on the review wins the slot. Capital cannot guarantee entry; work can. A Sybil farm flooding the competition with 1,000 identities pays 1,000 participation fees — non-refundable regardless of outcome — and each identity must independently outscore honest applicants on calibration cases. The pool grows only at the rate genuine demand opens slots, not at the rate an attacker can post capital. It requires no global consensus — no blockchain — no energy expenditure beyond what participants already commit, and no token. It enforces local coordination resilience through skin in the game — stakes as pre-loaded indemnifications — and verifiable track record.

What this paper establishes. Section 2 specifies the bond system and escrow scripts. Sections 3–6 specify the network roles, payment protocol, and evidence layer. Section 7 specifies the arbitration mechanism in full, including the jury pool closure and merit-based entry mechanism, penalty scaling, appeal subsidy mechanism, and bond withdrawal rules. Sections 8–11 cover the trust web, deployment, legal architecture, and privacy model. A companion document publishes the full threat vector analysis against 29 identified attack surfaces. The contributions of this protocol relative to prior art are enumerated in the following section.

Original contributions

Bitaid is built on proven primitives — Bitcoin scripting, Tor (alerts and gossip), I2P or equivalent high-bandwidth anonymous transport (BCAEN uploads and retrievals), Kademlia DHT, content addressing, commit-reveal voting, submarine swaps, and EIP-1559-style fee adjustment — none of which it invented. The following are original contributions:

Three-tier economic offer — stake, bounty, and conditional outcome reward as simultaneous real-time spot market price signals for passive emergency response. No precedent exists for this structure applied to real-world incident coordination by strangers with no prior relationship.

Actuarial insurer reserve with encumbrance tracking — a line of cover for caller stakes with real-time encumbrance propagated over gossip, distinguishing real from potential exposure. Opt-in insurer buffers extend to responder, jury, and archival bonds — seized before personal capital on forfeiture, carrying zero protocol weight.

BCAEN archival market — decentralised content-addressed storage with incentivised archival is established prior art — several existing protocols implement content addressing, competitive slot auctions, and availability challenges. BCAEN adapts these primitives for a specific forensic application: footage and metadata generated during a live incident, where the integrity and availability of evidence directly determines arbitration outcomes. The novel integration is threefold: payment flows from the same conditional Bitcoin escrow that governs the incident itself, rather than from a separate storage market; the SHA-256 hash is broadcast over gossip before upload completes, making suppression structurally impossible before any archiver has custody; and availability challenges serve a dual purpose as evidence chain-of-custody proofs, not merely storage market incentives. The calibration case library is additionally self-funded by juror applicant participation fees, with no external subsidy mechanism required.

Closed jury pool with merit-based entry — the jury pool is closed by default; slots open only on natural turnover or sustained demand signal (72-hour non-zero queue). Entry is decided by coherence competition: applicants review 10 historical calibration cases, pay a market-priced non-refundable participation fee to BCAEN archival nodes, and lock a scaled intention bond in escrow. Highest scorer wins. Capital cannot guarantee entry; work determines selection. Sybil farms pay N participation fees for N identities, each of which must independently outscore honest applicants. At genesis (calibration library < 100 cases): invitation track and weighted lottery as fallback. Governance-free, adversarially robust, self-funding via BCAEN participation fees.

Reputation quota with temporal seasoning — two thirds of every jury panel must hold verified case history; seasoning discounts rapidly accumulated records; cohort correlation detection penalises coordinated voting blocs.

Passive retroactive fraud detection — fabricated incident chains are surfaced automatically by statistical dissent across calibration queue reviews at a 40% threshold. No individual submitter required. Forfeiture funds the review panel at normal case rates; remainder subsidises BCAEN redundancy via 90-day drip release.

Bond withdrawal delay — 90-day hold from last case close, extended by any active retroactive review. Ensures malicious juror bonds remain present for forfeiture. Early release path available via juror-requested audit at normal case fee.

Event-driven jury fee market — fee adjusts ±12.5% per case close on queue depth signal, targeting zero backlog. No protocol floor — price drifts freely to market clearing level.

Configurable jury quality market — two independently adjustable panel parameters (coherence threshold 80%–99%, open seat fraction 0–⅓) embedded at escrow construction, enabling a premium service market for adjudication quality. The ⅔ rep-qualified invariant is non-configurable; both settings can only raise the Sybil defence. Fee differential paid ad hoc by the requesting party. 72-hour fallback to defaults if the configuration is unreachable. The same free market logic as relay acceptance thresholds applied to jury quality.

Proof of Bond with Reputation — a named Sybil-resistance primitive combining refundable personal collateral with earned case history. Human proof of work requiring no blockchain, no token, no trusted party.

2. The Bond System

Without skin in the game, every alert is free to fake. Without programmable money, skin in the game cannot be enforced without trust.

Bitaid\'s multiple bond tier mechanisms create legible offer and demand signals that did not previously exist. A caller staking real capital on an incident expresses the severity of what is happening. A bounty expresses the value of rapid presence. A conditional outcome reward expresses the value of actual intervention. Together they constitute the first market price signals for passive emergency response — not the pre-arranged market for private guards or contracted security firms where the price is set before any emergency exists, but a real-time spot market where strangers bid to respond to unscheduled incidents by unknown callers, conditional on attendance and outcome.

The load-bearing primitive of Bitaid is a conditional Bitcoin escrow — a bond system that locks capital per user, as a deposit recoverable intact on valid use when staked, spendable on a payment for bounties, rewards, services and even indemnification or penalties from arbitrated sentences.

The bond is denominated in Bitcoin because Bitcoin is the only asset that functions as pristine collateral^[1][29] for a trustless coordination protocol: programmable, enabling conditional spending logic without any intermediary except the legitimate key holders; final, settling without recourse to any bank, court, or government; uncensorable, meaning no authority can freeze or redirect it; and globally auditable, so any party can verify any bond exists without asking anyone\'s permission.

Bond Types (Stakes)

Each bond is direct personal capital, with an optional insurer buffer on top — disclosed to all parties, carrying zero protocol weight, seized before personal capital on any forfeiture.

Caller bonds — three tiers, each independent:

1. Stake — the caller’s refundable good-faith deposit. Proves the incident is real. Returned intact on honest use, forfeited on confirmed misuse. + insurer buffer opt-in.

2. Bounty — an optional appearance payment compensating responding nodes for showing up and documenting, regardless of outcome. Prices the value of presence. + insurer buffer opt-in.

3. Conditional reward — an optional escrow released by the independent jury on verified outcome. Prices the value of the problem being solved. + insurer buffer opt-in.

Responder bond — backs the responder’s skin in the game on every incident attended. Forfeited on confirmed misuse or bad-faith arbitration. + insurer buffer opt-in.

Jury bond — dedicated arbitration deposit, minimum 0.1 BTC. Required to sit on panels. Lost at a penalty rate between 2× and 4× on incoherent votes, scaling continuously with dissent isolation and appeal tier. + insurer buffer opt-in.

Archival bond — posted by BCAEN (Bitaid Content-Addressed Evidence Network) storage operators. Forfeited on corrupted or unavailable records. + insurer buffer opt-in.

Direct capital always outweighs insured capital in protocol scoring. Insurer buffers are fully disclosed — users are responsible for what they contract.

2.1 The Stake

Not a fee. A credential. It costs nothing if you act in good faith.

The stake is a Bitcoin amount locked in a conditional escrow — by default on the Liquid sidechain as an Elements script, or on the Bitcoin base layer as a P2WSH script. It is not spent when an alert is sent. It is frozen capital retained in full if the caller acts in good faith, and forfeited only on confirmed misuse.

Caller bonds may be structured as a fully reserved Direct bond or as an actuarial insurance reserve Insured bond, made possible by the sequential nature of emergencies: because a single caller cannot be in two incidents simultaneously, an insurer may back multiple caller identities from a shared pool. For responder, jury, and archival bonds, the base personal deposit must always be fully reserved. However, any of these roles may opt into an insurer buffer on top of their personal bond — disclosed to all parties, carrying zero protocol weight, and seized before personal capital on any forfeiture event. Concretely: the insurer buffer is not included in the stake_ratio used for vote weighting or jury selection — only the participant's directly posted personal capital counts toward any weight calculation. The total on-chain escrow is visible to all parties and includes the buffer, but the protocol strips it before computing influence. This extends indemnification to damaged parties without compromising the integrity of weight-based scoring.

2.2 The Three-Tier Bond Offer

Each tier prices a different thing. Together they constitute the first market price signals for passive emergency response.

Above the stake, the caller configures their economic offer in three tiers. The first tier is the stake itself — the good faith credential. The second tier is an optional bounty — an appearance payment compensating responders for showing up and documenting regardless of outcome. The third tier is an optional conditional outcome reward — held in a separate escrow and released by the independent jury on verified outcome.

Each tier prices a different behaviour: the stake prices honesty, the bounty prices presence, the conditional reward prices intervention.

2.3 Escrow Scripts and Spending Paths

Three paths. Every outcome covered. No intermediary on any of them.

Every bond in the protocol — caller stake, bounty, conditional outcome reward, responder bond, jury bond, archival bond — lives in its own independent conditional escrow. Each escrow uses the same dual-backend architecture: an Elements script on Liquid for standard stakes, or a P2WSH script on Bitcoin L1 for institutional-scale capital.^[2][4] The bond types differ in who posts them and what conditions trigger forfeiture, but the script architecture and the set of spending paths are the same across every escrow.

Three spending paths apply to each escrow. Path A is cooperative release — the parties agree and co-sign settlement. Path B is an arbitration verdict — the attending-only vote or jury panel produces a signed outcome that executes the spend. Path C is a CHECKLOCKTIMEVERIFY timelock — an absolute backstop after a defined block timeout. For parties in pre-existing commercial relationships, an optional fourth path may be added: a federation multisig from a credentialed arbitration body whose N-of-M pubkeys are embedded in the script.

The same three paths mean structurally different things for different bond types. Taking the caller stake as the illustrative example: Path A releases the stake back to the caller on cooperative close; Path B seizes the stake on an adverse arbitration verdict; Path C returns the stake unilaterally if the incident resolves without settlement or dispute. For the responder bond, Path A returns it intact at clean case close; Path B forfeits it on a misuse ruling or bad-faith arbitration verdict; Path C returns it after the post-incident window passes without a dispute being raised. For the jury bond, the coherent-vote path releases the juror's bond plus their coherent-juror share of the fee; the incoherent-vote path forfeits between 2× and 4× of their proportional stake scaled by dissent isolation and panel tier, subsidising the next appeal tier's fees up to the cost of that round with any remainder going to the coherent majority pool at the current tier; the timelock path returns the bond after a hold period following any successful appeal. For the archival bond, Path A releases the bond after the retention window completes with all availability challenges passed; Path B forfeits it proportionally on failed challenges or corrupted records; Path C is the default return at retention end.

The mechanism is uniform. The triggers are role-specific. All spending paths settle on-chain without any central party, by the script itself executing the conditions embedded at escrow construction.

An optional jury quality configuration may be embedded at escrow construction. Either disputing party may specify two independent settings above the protocol defaults: a minimum coherence threshold for rep-qualified seats (range 80%–99%, default 80%) and whether the open seat fraction is active (default: ⅓ open seats; configurable to zero, meaning all seats drawn from the rep-qualified tier at the set threshold). The ⅔ rep-qualified majority is a protocol invariant that cannot be reduced by either setting — raising the threshold tightens who qualifies for those seats; removing the open fraction raises the rep-qualified share to 100%. Both raise the Sybil defence; neither can lower it. The party requesting non-default settings pays the fee differential above standard case cost ad hoc from their own capital, not from the shared escrow. If the specified configuration cannot clear within 72 hours of escalation — because the threshold is unrealistically high relative to the available qualified pool — both settings reset to protocol defaults automatically and the case proceeds at standard tier.

2.4 Entry Floors by Role

The minimum must be low enough to include everyone who belongs, and high enough to price out those who don't.

Each role has its own entry floor, calibrated to the responsibility the role assumes. A caller posts capital to signal a real incident; a service provider posts capital to back the judgement calls their role produces. The floors are deliberately asymmetric.

Caller stake floor — 5,000 satoshis at genesis. Approximately $0.50 at $10,000 per BTC, rising to $5 at $100,000 per BTC. Low enough that any participant with genuine need can register; high enough that bulk false-alarm campaigns face real cumulative cost. The floor follows a deterministic 20% annual nominal deflation from Bitaid's application-layer genesis block height — a fixed reference established at protocol launch, separate from Bitcoin's genesis. The 20% rate is calibrated to roughly offset Bitcoin's historical appreciation range of 10–30% per year, keeping the fiat-equivalent caller floor approximately stable over time. Computed independently by every Core. No oracle, no governance, no trust required.

Responder bond floor — 0.01 BTC at genesis. Approximately $1,000 at $100,000 per BTC. The responder physically intervenes, uses force where the legal framework of citizen arrest applies, and is exposed to civil and criminal liability as well as BCAEN-documented misuse rulings. The floor is set two orders of magnitude above the caller floor: a caller signals an incident at minimal cost; a responder backs their judgement and conduct with capital that represents a meaningful personal loss on forfeiture. This floor closes the attack surface in C2.1 (phantom attendance), C2.2 (vote collusion), and C2.4 (excessive-force intervention). Attack surface codes (C2.1 etc.) refer to entries in the companion Threat Vector Map, which enumerates all 29 identified attack surfaces and their protocol mitigations. Unlike the caller floor, the responder bond floor carries no deflation schedule. As Bitcoin appreciates, the fiat-equivalent cost of the responder bond rises. This asymmetry is intentional: the caller floor deflates to preserve accessibility on the demand side regardless of Bitcoin's price trajectory, while the responder floor rising in real terms passively filters toward professionalisation on the supply side. Individual responders operating at genesis are joined over time by insured firms and security companies for whom a larger bond is a normal operating cost — the way licensed contractors absorb statutory bonding requirements today. The protocol never needs a governance vote to raise professional standards; Bitcoin appreciation does it automatically.

Jury bond floor — minimum 0.1 BTC, fixed. Ten times the responder floor. The jury decides conditional outcome reward releases and contested arbitration — their verdict moves the largest sums in the protocol, and their incoherent votes are penalised at a rate between 2× and 4× scaling with dissent isolation and appeal tier. The 0.1 BTC minimum ensures the penalty band represents a real deterrent. The pool is closed by default; entry is via merit-based coherence competition rather than open-market bond posting — this is the primary defence against capital-flood attacks on jury selection (§C4.1). The entry mechanism works in conjunction with the reputation quota, temporal seasoning, and cohort correlation detection described in section 7.5.6.

Archival bond floor — 0.005 BTC base, scaling with declared capacity. Half the responder floor at genesis. The archival node is custodian of evidence that may determine arbitration outcomes but does not exercise physical judgement or impose on other parties directly. Bond size sets the node's floor bid in the slot auction; declared capacity above the minimum scales the bond linearly. Forfeiture is proportional to failed availability challenges. This floor closes the attack surface in C6.2 (availability fraud) and C6.5 (slot collusion). Like the responder floor, it carries no deflation schedule: rising real-terms capital requirements passively filter toward professional storage operators as the network matures and incident volume grows.

The pattern is consistent and the ratios are deliberate: caller floor at 5,000 sat, responder at 0.01 BTC (2,000×), jury at 0.1 BTC (20,000×), archival at 0.005 BTC (1,000×). Entry cost tracks the liability the role assumes. A caller risks their stake against a misuse ruling. A responder risks their bond against both misuse and bad-faith arbitration, with their physical conduct on camera and subject to jury review. A juror risks between 2× and 4× their bond against incoherent votes, scaling with the isolation of their dissent and the appeal tier they are sitting at. An archival node risks proportional forfeiture against failed availability challenges. The elevated service-provider floors ensure that anyone taking on adjudicative or custodial responsibilities has genuine capital at stake commensurate with the harm their failure could cause.

2.4.1 Price Discovery for Aid

Floors are static. Prices are discovered.

The entry floors above are the minimum capital required to participate in each role. They are not prices. Prices for actual aid are discovered in a separate market with two sides.

The caller side posts three demand signals above the stake floor: the stake itself, which prices the severity of the incident as the caller represents it; the optional bounty, which prices the appearance payment the caller is willing to fund regardless of outcome; and the optional conditional outcome reward, which prices the outcome they most want achieved. These three signals together constitute the caller's full economic offer. The caller also filters response implicitly through acceptance thresholds: responders with insufficient reputation for the stake level being posted simply do not see the alert, or see it ranked below others.

The responder side takes offers by acting on them. A responder who accepts an alert and physically attends is taking the caller's offer as presented. A responder who passes is signalling that the offer does not match their time, capability, and risk for that moment. No protocol rule requires anyone to accept any alert; no penalty attaches to passing. The protocol routes alerts and lets the market clear.

As the network matures, the clearing price for response at any given time and place emerges from the interaction of these signals — without any central dispatcher setting priorities, and without any administrative rate card. Each responder Core additionally sets a local acceptance threshold above the protocol floor, published as a rolling local median advisory to callers. This per-node threshold is how the network self-calibrates across different Bitcoin price environments and local economic contexts, as discussed in section 4.3.

2.5 Stake-Backed Coverage and the Insurance Primitive

Capital that covers many without multiplying risk is capital deployed intelligently.

Any caller with a clean stake history may extend their stake as coverage for invited callers. Insurers may also co-fund caller stakes from a shared pool under the actuarial insurance reserve model — possible because emergencies are sequential: a single caller cannot be in two incidents simultaneously, so one pool can back many identities with actuarial confidence. Separately, insurers may extend an opt-in buffer on top of any fully-reserved personal bond — responder, jury, or archival — where the buffer sits above the real personal deposit, is seized first on forfeiture, carries zero protocol weight, and is disclosed to all parties.

The mechanism by which the insurer buffer is seized first is script-level, not legal. At bond registration time the insurer posts a second UTXO into the same escrow script alongside the participant's personal bond UTXO. Both UTXOs are locked by identical forfeiture conditions — jury verdict or attending-vote outcome. The insurer signs at registration, not at forfeiture; by the time a verdict fires, the insurer's capital is already inside the script and the protocol can spend it as part of the same forfeiture transaction. Output ordering in that transaction consumes the insurer UTXO first and the personal bond UTXO second. The protocol is not reaching into the insurer's wallet — the insurer's capital was committed to the script at the moment they agreed to back the participant. "Seized before personal capital" means the insurer UTXO is the first output consumed, enforced by the script itself, not by any legal agreement or off-chain claim.

The protocol distinguishes real collateral from potential collateral correctly: actuarial reserve pools are accounting for genuine simultaneous-use statistics, not creating phantom capital. Real-time encumbrance is tracked against insurer UTXOs and propagated over gossip. The insurance primitive this enables is novel: reusable collateral that returns intact after each resolved incident rather than being consumed as premium, usable across every bonded role in the protocol.

3. Network Roles

Different bonds. Different hardware. One network.

3.1 Caller

The lowest friction point in a crisis must be frictionless.

The caller is any person in need of help. Anyone can register. The caller's companion app is optimised for a single moment of maximum stress: triggering an alert as fast as possible. No Core daemon required — the companion app connects to a public relay or a trusted contact's Core over Tor Hidden Service API for alerts and gossip. No recording hardware required at registration.

At registration the caller commits their stake, configures their optional bounty and conditional outcome reward, calibrates their panic trigger, and designates a recovery address — a Bitcoin address to receive the stake return in the event of incapacitation. The stake is already in place before any incident occurs. A caller in danger presses one button. Nothing else is required of them.

The panic trigger activates immediately on press. Pre-trigger buffering — a configurable rolling window of up to 60 seconds — captures the moments before the button is pressed as well as after. A 911 call (or local equivalent) is an opt-in feature, off by default — enabled per-caller in settings when the user wants state-service integration alongside the protocol response. Regardless of whether a 911-equivalent call was placed, an audio transcript of the incident can be attached to the post-incident report as a supplementary evidence track, stored in BCAEN alongside the video footage, and subject to the same access-consent model. Feel Unsafe mode allows a lower-commitment signal — a soft alert that notifies nearby responders without triggering full escrow commitment, useful for situations that may resolve without incident. No stake is locked; no bond is encumbered. The mode exists to lower the friction of calling for help in ambiguous situations, reducing the cost of a false alarm to zero while still attracting attention.

BCAEN upload and hosting micro-payments for caller-originated evidence — the pre-trigger buffer, audio stream, and any transcripts — are funded from the caller stake or deducted against the bounty escrow at settlement. Evidence archival is not a separately-billed service; the cost of preserving the documentary record of the incident is internalised into the capital the caller already posted. This ensures the evidence layer is always funded at incident creation rather than requiring a second payment step during a crisis.

Caller identity is held encrypted locally and never transmitted in plaintext. Full identity disclosure is caller-initiated only: if the caller chooses to disclose to attending responders or to a legal authority, they sign a disclosure transaction. The protocol does not automatically disclose caller identity to any party.

3.2 Responder

The most capable people for this work are already trained. They just have no market to sell into.

The responder physically attends incidents. The role requires a higher minimum bond than the caller, a paired AidCore daemon, and recording hardware. The responder earns income through the three-tier economic offer and builds a reputation record that compounds over time.

The alert card shows the full three-tier economic offer — bond amount as credibility signal, bounty as appearance payment, conditional outcome reward and its condition if configured — alongside pre-trigger footage if available, caller attestation status, and the count of other responders who have already accepted. The conditional outcome reward is displayed prominently as the primary competitive signal for professionals. Passing on any alert carries no penalty.

The responder's personal bond must be fully reserved — no fractional reserve on the base deposit. An opt-in insurer buffer may supplement it, disclosed to all parties, carrying zero weight in protocol scoring, and seized before personal capital on any forfeiture event. Recording hardware — a paired body camera or drone — connects to the companion app via Bluetooth or USB-C and streams footage directly to BCAEN on incident acceptance.

BCAEN upload and hosting costs for responder-originated evidence are funded initially by the responder's own capital at upload time. This ensures footage lands in the archival network the moment an incident is accepted, before any dispute can arise about settlement — evidence cannot be held hostage by a caller refusing to co-sign or a responder deciding post hoc that documenting would be inconvenient. At case close, these upload costs are reimbursed to the responder from the caller's stake escrow as part of standard settlement. If the caller successfully disputes the outcome and the arbitration verdict goes against the responder, the upload costs remain the responder's loss. This aligns incentives precisely: responders only upload material they would stand behind under adversarial review, because they are funding the evidence that may later be used to judge their own conduct.

The right of a private citizen to detain someone witnessed committing a serious offence predates professional policing by centuries and exists in most jurisdictions worldwide. Responders operate within this legal framework. The protocol surfaces jurisdiction-specific legal reference to the responder's companion app based on grid cell location.

3.3 Relay Node

Relaying is not a role. It is what being on the network means.

Every AidCore daemon relays by default. There is no separate relay role, no forwarding fee market, and no protocol-level payment for packet routing. A caller who runs their own Core to avoid connecting to third-party infrastructure is simply a self-sovereign participant. A responder relays. An archival node relays. A jury node relays. All of them relay because that is what AidCore nodes do — it is the baseline cost of network membership, not a monetised service.

The network enforces its own liveness through dead-end scoring. Cores that observe a peer failing to propagate alerts attest to that failure over gossip; accumulated dead-end attestations reduce that peer's priority in routing tables and eventually lead to exclusion from peer connections. The thresholds are: a dead-end ratio above 0.3 over the most recent 200 attestations triggers deprioritisation in peer routing tables; a ratio above 0.6 over the same window triggers exclusion from peer connections. Both thresholds use a rolling window rather than a lifetime count, so nodes that recover honest propagation behaviour recover their routing position over time. Because relaying nodes post no relay bond, there is nothing to slash — dead-end scoring carries no forfeiture component. What it does carry is routing consequence: a node that accumulates dead-end attestations sees reduced network presence, fewer alerts routed through it, and diminished peer connectivity. This is a routing reputation signal, not a capital penalty — analogous to how route preference works in internet routing, where peers that fail to propagate correctly are simply preferred less. Nodes that want good routing position maintain honest propagation behaviour. Nodes that do not care about routing position are, by that fact, not useful to the network and the network responds accordingly.

3.4 Jury Node

A jury that loses money for being wrong is a jury with skin in the game.

The jury node is an AidCore daemon operator who has posted a jury bond of at least 0.1 BTC. Jury nodes are selected to adjudicate contested incidents and to release conditional outcome rewards on verified outcomes. Eligibility requires passing a retro-testing threshold — at least 80% agreement with consensus outcomes across a minimum of ten prior cases — and a 30-day time-lock prevents rapid re-entry after bond forfeiture.

Jury nodes may specialise in subcourt categories — medical, property, detention — and cases are preferentially routed to matching subcourts. An opt-in insurer buffer may supplement the jury bond, seized before personal capital on forfeiture, carrying zero weight in scoring. The full jury mechanism is specified in section 7.5.

Jury nodes that accumulate 50 or more cases with a lifetime coherence score of 90% or above and a seasoning period of at least 180 days qualify for the upper band of the configurable coherence range. No separate registration is required — these jurors are automatically eligible for higher-threshold cases as specified at escrow construction. Cases specifying a higher threshold pay higher fees reflecting the smaller qualified pool; the fee is paid ad hoc by the requesting party.

Bond withdrawal is subject to a mandatory 90-day delay from the juror's last case close. During this window the bond remains encumbered and subject to forfeiture if a retroactive fraud proof is validated against any case the juror participated in. A juror who exits the role without triggering any retroactive review within the window recovers their full bond at day 90. A juror whose case history is placed under active retroactive review has their bond frozen for the duration of that review, regardless of when they initiated withdrawal. This is the mechanism that gives retroactive fraud detection real teeth: a malicious juror cannot corrupt a verdict and immediately exit with their capital.

3.5 Archival Node

Evidence that costs nothing to delete will be deleted.

The archival node is an AidCore daemon operator who has posted an archival bond and declared storage capacity. Archival nodes bid for BCAEN (Bitaid Content-Addressed Evidence Network) storage slots at incident creation, host footage and evidence chunks during the retention window, and respond to cryptographic availability challenges to prove continued hosting. Payment is held in escrow and released incrementally against passed challenges. Bond is forfeited proportionally on failed challenges or corrupted records.

The storage required scales with incident volume and footage quality. A Raspberry Pi with an attached SSD meets the minimum specification for standard-definition footage. Archival nodes may selectively bid for incident types and quality tiers. An opt-in insurer buffer may supplement the archival bond, seized before personal capital on forfeiture, carrying zero weight in scoring. The full archival mechanism is specified in section 6.4.

4. Incentives

Without price signals, no system can know what it is doing wrong.

4.1 The Three-Tier Price System

Each tier prices a different behaviour. Together they constitute the first price system for emergency response.

The bond prices honesty: a caller who stakes real capital signals that the incident is real and that misuse carries personal cost. The bounty prices presence: an appearance payment that compensates responders for showing up and documenting regardless of outcome. The conditional outcome reward prices intervention: the largest and most consequential amount, released by the independent jury on verified outcome — suspect detained, caller evacuated, medical stabilisation confirmed. Each tier is optional above the first; each adds competitive signal for professional responders.

As the network professionalises, callers who offer no bounty or conditional reward will find fewer professional responders accepting their alerts — not because the protocol blocks them, but because professional responders price their time and risk against the full economic offer. The protocol routes alerts and lets the market clear. No authority determines priorities. The three tiers together produce the first market price signals for passive emergency response — not the pre-arranged bilateral market for private guards or contracted security firms, where the price is set before any emergency exists and the service is delivered regardless of whether an incident occurs, but a real-time spot market where strangers with no prior relationship bid to respond to an unknown caller at an unknown location, with payment conditional on showing up and performing. That market has not existed before, not because no one thought of it, but because it required trustless conditional payment and pseudonymous coordination that no prior technology made possible.

4.2 Rating, Reputation, and Arbitration Weight

Not all voices carry equal weight. The protocol knows the difference.

The bounty is structured in two tiers. The guaranteed floor — 70% of the professional share — is split among confirmed professional attendees who meet a minimum footage contribution score: sustained proximity to the caller's last known GPS position for a minimum on-scene duration, derived from BCAEN timestamp and GPS metadata. The performance variable — the remaining 30% — is distributed by a composite score of caller rating (stake-weighted, discarded if caller is a confirmed troll), peer attendee ratings (merit-weighted), and footage contribution inference from BCAEN metadata. In the caller-absent case — dead, incapacitated, or confirmed troll — peer ratings and footage inference carry the full variable tier.

Each attendee's influence in arbitration is weighted by: the square root of their stake relative to the median attending stake (capped at 3× to prevent capital dominance); their reputation score log-normalised from accumulated caller ratings; and their accumulated bounty history log-normalised against a network reference. Combined weight formula: weight = sqrt(stake_ratio) × (0.1 + rep_factor × bounty_factor). stake_ratio is computed from the participant’s directly posted personal capital only — the insurer buffer, if present, is excluded before this calculation. The 0.1 floor prevents new legitimate responders from scoring zero. Reputation and bounty history are log-normalised to prevent runaway dominance by long-tenured responders while still rewarding experience.

4.3 Stake Floor Dynamics and Market Clearing

The floor sets the minimum. The market sets the price.

The stake floor deflates deterministically at 20% per year from Bitaid's application-layer genesis block height, computed independently by every Core from block height alone. No oracle, no governance, no trust required. The 20% rate is calibrated to roughly offset Bitcoin's historical appreciation range of 10–30% per year, keeping the fiat-equivalent caller floor approximately stable across decades without human intervention. Above this floor, each responder Core sets its own acceptance threshold. The protocol surfaces the rolling local median as an advisory signal to callers — a visible answer to "what stake level will get a response here?" — but no rule enforces it. Market behaviour does.

This per-node acceptance threshold is the mechanism through which the network self-calibrates across radically different Bitcoin price environments and local economic contexts without governance. A globally fixed floor that represented meaningful skin-in-the-game at $50,000 per BTC becomes trivially cheap at $500,000 — or prohibitive for a lower-income region at any price. The deflation schedule adjusts the protocol floor as a blunt instrument, but individual operator thresholds are the fine-grained signal. A node operator in a high-cost city with professional responders sets a higher threshold. A node in a region where a smaller absolute amount represents genuine personal cost sets a lower one. Neither requires a protocol change or governance vote. The local information about what constitutes real skin-in-the-game is held by the operator, and the threshold mechanism is how they express it — a direct application of distributed knowledge to parameter-setting that central governance cannot replicate.^[12]

In a dense urban cell with active sponsorship and high bounties, the effective clearing price rises naturally. In a sparse rural cell with fewer responders, even a low stake attracts attention. Every relay identity and responder identity also incurs non-recoverable transaction fees to register and maintain — a net cost that compounds with every additional identity regardless of attack success, an independent Sybil tax that the protocol does not need to enforce explicitly.

4.4 The Insurance Flywheel

The product gets cheaper as it works better.

Insurers compete not only on subscriber pricing but on the bounty and conditional outcome reward levels they fund — higher offers attract better-equipped professional responders, better responders achieve better outcomes, better outcomes justify higher premiums, higher premiums fund larger offers. The flywheel compounds at every tier.^[15] The insurer's own success suppresses the risk it is pricing. A \$2M life policy subscriber generates enough premium to fund a meaningful conditional outcome reward. The rescue reward functions as a hedge: if the responder succeeds in preventing a fatality, the insurer avoids a life claim worth multiples of the reward payout.

This is the opposite of every dynamic in monopoly public safety provision, where budget growth tracks failure rather than success. A police force that prevents more crime receives no additional funding signal from that prevention.^[20][21] An insurer that prevents claims profits directly from that prevention. The incentive structures are structurally different, and the outcomes follow.

4.5 Sponsorship and Cold-Start

A network with no history is a network no one trusts. Sponsorship solves the chicken-and-egg problem.

Any caller with a clean stake history may extend their stake as coverage for invited callers — a web of trust primitive that bootstraps participation without requiring new entrants to self-fund immediately. The sponsored caller's weight reflects the sponsor's track record as well as their own. If any covered invitee triggers a misuse ruling, the covering stake is claimed and all dependents lose coverage simultaneously — a powerful incentive to vet invitees carefully. Professional security firms, community organisations, and insurers can onboard subscribers at scale using sponsorship, solving the cold-start problem without any protocol-level intervention.

5. Network Architecture

A panic button that drains the battery or requires a server room is not a panic button.

5.1 Two-Tier Node Architecture

The device that must be always-ready cannot also be always-working.

The Bitaid Core is a headless daemon running on a Raspberry Pi, server, or VPS. It maintains all network state: DHT participation, Tor circuits for alerts and gossip, high-bandwidth transport circuits for BCAEN uploads and retrievals, stake credentials, grid cell registration, alert validation, and all cryptographic operations. It exposes a local API via Tor Hidden Service. The Core never holds signing authority — the user's device retains the keypair and signs locally. A compromised Core cannot forge signatures or redirect funds.

The Bitaid Mobile companion app is a thin client handling only GPS, camera, UI, and notifications. It connects to the Core via the Tor Hidden Service API. Two registration profiles exist: the caller profile, which presents the stake configuration, panic button, Feel Unsafe mode, and rating UI; and the responder profile, which adds Core pairing, alert reception, and recording hardware configuration. A caller in crisis never encounters responder configuration screens.

5.1.1 Third-Party Core Connection

Callers who do not run their own Core connect to a public relay Core or a trusted contact's Core for a sat-denominated connection fee settled via Lightning. This thin-client mode requires no hardware beyond a smartphone and no technical setup. The caller's private key never leaves their device. The third-party Core relays alerts and propagates stake credentials on behalf of the caller but has no ability to intercept or redirect funds. Responders always run their own Core — the pairing requirement ensures they have full control over alert reception, routing preferences, and BCAEN archival.

5.2 Alert Validity and Cryptographic Integrity

An alert that cannot be forged needs no trust.

Every alert is signed by the caller's private key and cryptographically linked to their live stake UTXO — on Liquid for standard stakes, on Bitcoin L1 for institutional stakes. A relay cannot forge this signature. Any receiving Core independently verifies it before acting. A fabricated alert fails at the first honest Core regardless of how many relays carried it.

The alert packet contains: the caller's pseudonymous identifier derived from the stake UTXO; a cryptographic commitment to the stake amount and escrow address; GPS coordinates signed by the device; pre-trigger footage hash if available; the three-tier economic offer; and an optional condition string for the conditional outcome reward. All fields are signed together. Modification of any field invalidates the signature.

5.3 Node Discovery

The network must find itself without asking anyone for permission.

Node discovery uses a Kademlia-based DHT adapted to operate over Tor Hidden Services.^[5][6] Tor handles alert propagation and peer discovery. BCAEN video uploads and retrievals use a separate high-bandwidth anonymous transport (section 5.5). Each node has a persistent DHT identity derived from its keypair. Bootstrap nodes are hardcoded in the client but replaceable via configuration — no single bootstrap node is a point of failure. The DHT layer handles node discovery only. Alert routing uses the geofenced gossip layer. The two layers are independent: a node can participate in DHT discovery without receiving or relaying any alerts.

5.4 Geofenced Gossip Protocol

An alert broadcast to the whole world is useful to no one. An alert broadcast to the right street is everything.

Alerts propagate through a geofenced gossip layer. The world is divided into fixed 5 km × 5 km grid cells. Each Core registers its grid cell at startup. Alerts propagate only to Cores in the same cell and adjacent cells — bounding propagation to the geographic area where response is possible, reducing network load, and limiting information exposure. In low-density areas, the propagation boundary expands to adjacent cells automatically. The grid cell topology is also used in jury selection — panels are drawn from Cores in cells geographically distant from the incident cell.

Dead-end scoring is propagated through the same gossip layer. Cores that observe no onward propagation from a peer attest to that observation. Attestations accumulate against a node's DHT identity. A rising dead-end score leads first to deprioritisation in peer routing tables and eventually to exclusion from peer connections.

5.5 Transport Architecture

Different data types have different threat profiles. The transport layer reflects that.

Bitaid uses a hybrid transport architecture rather than routing all traffic through a single anonymity network. The two transport layers have different performance characteristics and different threat profiles, and routing everything through the same layer would mean optimising for neither.

Tor — alerts, gossip, and peer discovery. Alert packets and gossip propagation are low-bandwidth, latency-sensitive, and anonymity-critical. The identity of the sender is the thing most at risk; the content is already encrypted and signed. Tor’s onion routing is well-suited here. The Briar fork^[7] handles this layer — DHT-based peer discovery over Tor Hidden Services, geofenced gossip over Tor circuits, dead-end scoring propagated through the same layer. Briar’s group messaging primitive is the candidate implementation for the ephemeral responder coordination channel that opens on alert acceptance.

High-bandwidth anonymous transport — BCAEN uploads and retrievals. Video footage uploads and archival node retrievals are high-bandwidth, latency-tolerant, and require sustained transfer performance. Tor performs poorly on this workload: the circuit architecture was designed for low-latency browsing, not bulk file transfer, and exit nodes create a surveillance surface that does not exist for intra-network traffic. The preferred transport for BCAEN data is a high-bandwidth P2P anonymous network with no exit node architecture — currently I2P, whose garlic routing and file-sharing lineage make it well-suited to sustained bulk transfers within its network. Lokinet is a viable alternative as its node count grows. The protocol specifies the requirement — anonymous bulk transfer with no exit nodes — rather than mandating a specific implementation, allowing the transport to be upgraded as the landscape evolves without a protocol-layer fork.

The practical division: alerts travel over Tor, footage travels over I2P (or equivalent). A node participates in both networks simultaneously. The caller’s identity is protected by Tor for the alert. The footage’s integrity is protected by content-addressed hashing regardless of transport. Neither layer reveals the other’s traffic patterns to an observer.

5.6 Protocol Versioning and Upgrade Paths

An ungoverned protocol still needs a way to improve without tearing itself apart.

Protocol versioning follows a two-track model. Backward-compatible additions are soft upgrades: old Cores ignore fields they do not recognise, no network split occurs. Changes to core validation rules are hard forks that split the coordination layer. On-chain bonds do not split: a stake UTXO on Liquid or Bitcoin L1 is valid on both forks because the blockchain has no knowledge of application-layer protocol rules.

Fork preference is signalled through the existing weight mechanism: Cores signal their preferred fork version in gossip attestations. Both forks run simultaneously during transition. The market resolves which fork survives. Bitaid forks are positive-sum coordination disagreements, not existential monetary contests — the economic layer persists through any fork because it lives on Bitcoin, not on the application layer.

6. Evidence Layer

Footage that can be deleted is not evidence. Footage that has already escaped is.

The Bitaid Content-Addressed Evidence Network (BCAEN) is the protocol\'s answer to the suppression problem. Every piece of recording produced during an incident is cryptographically signed, timestamped, GPS-tagged, and uploaded to a distributed archival network before any party can intercept or delete it. The evidence does not live on any single server. It lives on every archival node that won a storage slot for that incident — and the economic incentives of those nodes depend on keeping it available.

6.1 Recording

Recording begins automatically when an alert is triggered. The companion app activates the device camera and any paired recording hardware simultaneously. Pre-trigger buffering — a configurable rolling window of up to 60 seconds — means the moments before the panic button is pressed are captured as well as the moments after. The caller may disable pre-trigger recording in settings. Audio is recorded as a separate track and treated as a distinct evidence stream under the same upload and integrity pipeline.

6.2 BCAEN Upload and Integrity

Each recording chunk is hashed using SHA-256 and the hash is broadcast over the gossip network before upload completes — meaning the existence and integrity fingerprint of the footage is propagated to hundreds of nodes before any single copy lands anywhere. Tampering with an uploaded chunk is detectable by any node holding the hash. The chunk is signed by the recorder\'s private key, establishing non-repudiation: the footage cannot later be disowned.

GPS coordinates and device timestamps are embedded in each chunk header. Where hardware attestation is available — a GPS module with cryptographic signing capability, or a tamper-evident body camera — the attestation signature is included. Where it is not, dispatcher attestation from the responding Core serves as the primary integrity signal; caller attestation serves as secondary. Cross-validation between multiple independent recorders at the same scene is the primary spoofing mitigation. Multiple independent feeds from distinct devices, angles, and positions — each hashed and gossip-propagated before any coordination is possible — make consistent fabrication across corroborating sources scale in difficulty with attendance, providing structural resistance to AI-generated video substitution.

6.3 Access

BCAEN footage is not publicly accessible by default. Access during an active incident is limited to attending responders and the caller. After incident close, access is governed by a tiered consent model: the caller and any confirmed attendees may access their own incident footage at any time. Third-party access — insurers, legal representatives, law enforcement — requires a signed consent transaction from at least one party to the incident. The protocol does not prevent court-ordered access; it ensures that any access event is itself recorded on-chain.

6.4 Archival Storage and Incentivised Retention

Evidence that costs nothing to delete will be deleted.

BCAEN storage is a competitive market. Archival nodes bid for storage slots at incident creation. The slot auction runs on the gossip network: nodes broadcast availability and price; the incident escrow automatically selects the lowest-cost bids meeting a minimum availability score, up to a redundancy target. Payment is held in escrow and released incrementally against cryptographic availability challenges.

6.4.1 Archival Node Registration

An archival node registers by posting an archival bond and declaring storage capacity. Bond size and declared capacity set the node\'s floor bid price. Nodes that win slots and then fail availability challenges lose bond proportionally to the failure window.

6.4.2 Slot Auction and Trustworthiness Scoring

Each incident generates a slot auction. Archival nodes submit sealed bids specifying price per GB-day and availability guarantee. The protocol selects bids using a composite score: bid price weighted against the node\'s historical availability record and bond size. A node with a perfect availability record but higher price may beat a cheaper node with recent failures.

6.4.3 Availability Challenges and Payment Release

The escrow contract releases payment to archival nodes in tranches against cryptographic retrieval challenges — a random node is selected to issue a challenge, the archival node must return the specified chunk within a timeout window, and the challenge result is broadcast. Passed challenges release the next payment tranche. Failed challenges trigger bond forfeiture proportional to the failure window.

6.4.4 Windowed Retention by Design

Retention is not indefinite. The default retention window covers the active case period plus a lightweight extended window for potential appeals. After the case window, data transitions to a lightweight hash-only record — the content is no longer required but the integrity fingerprint persists. Extended retention beyond the default window requires consent from at least one party and continued payment into the archival escrow.

6.4.5 Hardware Accessibility

Archival nodes can operate on consumer hardware. A Raspberry Pi with an attached SSD meets the minimum specification for standard-definition incident footage. High-definition multi-camera incidents require more storage but the economic model scales with the incident escrow — callers who want higher-quality evidence archival fund it through their bounty and reward configuration.

6.5 Content Integrity and Prohibited Material

The BCAEN is not a general-purpose storage network. Content is only accepted when cryptographically linked to a valid incident alert — a signed caller stake UTXO at a specific block height, with a hash pre-propagated over gossip before upload completes. There is no path into the archival network that does not pass through this gate.

Uploaders who submit forged metadata, content unrelated to the linked incident, or material illegal under international law — including child sexual abuse material — forfeit their bond on jury confirmation and are permanently excluded from the network. The bond requirement means bulk abuse is self-taxing: every upload attempt costs real capital regardless of outcome. Flagging suspicious content for jury review is open to any bonded participant; malicious flagging — submitting bad-faith flags to harass honest uploaders — carries the same forfeiture penalty as the prohibited upload itself, closing the weaponised-flag attack surface symmetrically.

On a jury ruling confirming prohibited content, the archival bond slots holding that content are released and the content is purged from the redundancy set across all participating archivers. The SHA-256 hash record persists as an on-chain audit trail, recording that the content existed, was reviewed, and was removed by adjudicated process — not by administrative fiat. This distinction matters: the removal is transparent and contestable, not opaque and arbitrary.

This mechanism directly addresses the state-level threat of hostile regulatory action against BCAEN as an evidence network. A state actor seeking to justify censorship by pointing to illegal content on the network will find that the network already identifies, adjudicates, and removes such content more rigorously than conventional cloud storage — with a bonded uploader liable for the attempt, a jury-verified removal record, and a permanent on-chain audit trail. The argument for censoring the network collapses against its own evidence of self-governance.

7. Arbitration

Disputes are not failures. They are the protocol working as designed.

The Bitaid arbitration system is a two-tier structure. The first tier — attending-only voting — governs incident validity and bounty release. The second tier — the independent jury — governs conditional outcome reward release and contested disputes that attending parties cannot resolve. Precedence is explicit: the attending-only vote resolves all matters in scope unless any bonded party files an escalation within 48 hours of the attending verdict. Escalation moves the entire dispute — bounty and conditional reward together — to the jury tier. Partial escalation is not permitted; the jury inherits the full incident record and issues a single binding verdict across all escrows. This prevents conflicting verdicts on the same incident from different tiers.

Throughout this section and the threat map, the term honest limit denotes an attack surface the protocol explicitly does not attempt to mitigate — either because mitigation is structurally impossible within a permissionless system (physical coercion of identified participants), or because mitigation would require breaking a core protocol property (key recovery would require a trusted custodian; identity verification would require a permissioned registry). Honest limits are not design failures. They are the boundary conditions of the threat model the protocol is calibrated for, stated plainly rather than obscured. Where an honest limit is reached, the voluntary formal arbitration path described in section 7.6 is the appropriate escalation.

7.1 When Arbitration Triggers

Arbitration triggers automatically when: the caller disputes the outcome assessment submitted by attending responders; an attending responder disputes the caller\'s incident close; or the conditional outcome reward escrow is ready for release and requires jury sign-off. Arbitration may also be triggered manually by any bonded party within a defined post-incident window.

7.2 Attending-Only Voting

The first arbitration tier involves only parties who were physically present at the incident. Each attendee submits a signed outcome assessment. Assessments are weighted by the merit formula. The weighted majority governs. This tier is fast and cheap — no external jury selection, no delay. It handles the majority of disputes: caller-responder disagreements about whether an outcome was achieved. Critically, this tier also prevents non-cooperation from becoming a zero-cost exit for callers. Without it, a caller could refuse to cooperate and wait for the CLTV timelock to reclaim their stake, obtaining response services for free. The attending-only vote is what closes that vector: responders who attended, documented, and acted can collectively assert the outcome regardless of whether the caller cooperates, and the merit-weighted verdict governs bounty and reward release. When the attending-only verdict confirms caller misuse — a troll alert, a fabricated incident, or bad-faith non-cooperation — the caller stake is seized and distributed to attending responders as compensation for their wasted time and presence, pro-rata by their merit weight. The responders showed up, documented, and acted on false pretences; the stake that induced them to do so becomes their payment.

7.3 Merit Weighting Among Attendees

weight = sqrt(stake_ratio) × (0.1 + rep_factor × bounty_factor). stake_ratio is derived from the juror's directly posted personal bond only — the insurer buffer is excluded from this figure regardless of what the total on-chain escrow shows. The square root compression prevents capital dominance while preserving meaningful stake differentiation. The 0.1 floor ensures new responders with no history are not silenced. The reputation and bounty factors reward proven track records.

7.3.1 Voting Threshold and Majority Structure

The voting threshold is a supermajority of weighted votes. The top-weight attendees can always reach majority among themselves — lower-weight attendees serve as tiebreakers in close votes. This prevents any single high-stake responder from unilaterally deciding outcomes while ensuring that a clear consensus among experienced attendees resolves quickly.

7.4 Ground Truth and Free Market Correction

The protocol does not claim to produce ground truth. It produces an economically incentivised consensus among parties with real stakes. The jury system\'s asymmetric penalty structure — incoherent jurors lose between 2× and 4× of what coherent jurors earn, scaling continuously with dissent isolation and appeal tier — makes honest voting the dominant strategy. Over time, jurors who consistently vote against consensus lose bond and exit the jury pool. The pool self-corrects toward accuracy without any central authority enforcing it.

7.5 Independent Jury Tier

A jury that loses money for being wrong is a jury with skin in the game.

7.5.1 Jury Eligibility and Selection

Jury nodes must post a jury bond of at least 0.1 BTC. Eligibility requires passing a retro-testing threshold: at least 80% agreement with consensus outcomes across a minimum of 10 prior cases. A 30-day time-lock prevents rapid re-entry after bond forfeiture. Bond withdrawal on voluntary exit is subject to a mandatory 90-day delay from last case close, with an active retroactive review extending the hold for its duration. Jury nodes may specialise in subcourt categories — medical, property, detention — and cases are preferentially routed to matching subcourts.

7.5.2 Blind Commit-Reveal Voting

Jurors vote using a commit-reveal scheme: hash(vote, salt, jury_pubkey) is broadcast in the commit phase; the preimage is revealed in the reveal phase. This prevents jurors from observing each other\'s votes before committing. Late reveals are treated as abstentions. Abstentions do not attract penalty but do not earn reward.

7.5.3 Asymmetric Penalty & Appeal Subsidy

Incoherent minority jurors — those whose vote does not align with the weighted majority — forfeit a portion of their bond. The penalty multiplier is dynamic, ranging from 2× to 4× the amount that coherent jurors earn, depending on two variables: panel size n and minority proportion p (the fraction of jurors in the minority, clamped between 1/n and 1/3). The multiplier is given by:

p       = minority_jurors / panel_size   (clamped to [1/n, 1/3])
penalty = 2 + 2 × ( (1/3 − p) / (1/3 − 1/n) )   capped at 4×

This yields a continuous, intuitive surface. For a 3-juror panel with one dissenter (p = 1/3) the formula gives exactly 2× — a contested result where reasonable disagreement is possible. For a 15-juror panel with a single dissenter (p = 1/15) the formula gives 4× — a tiny minority holding out against overwhelming consensus in a case that has already survived multiple rounds of review, which is a strong signal of corruption or gross miscalibration rather than legitimate disagreement. Intermediate panels (7, 11 jurors) and intermediate minority sizes produce penalties that slide smoothly between the two bounds. A single dissenter on a 7-juror panel produces roughly 3×. Two dissenters on a 15-juror panel produce roughly 3.4×. The mechanism rewards the consensus but does not treat all dissent as equivalently aberrant — a contested 40% minority is treated with appropriate lenience that a 7% minority is not.

Voting “insufficient evidence” is treated as a vote like any other — it carries no safe harbour. This forces jurors to engage with the evidence rather than abstain strategically.

The penalty pool does not distribute immediately to the coherent majority. Instead it is locked into an appeal escrow for that incident. If an appeal is filed within the defined window, the escrow funds the next round’s jury fees — partially or fully — reducing the cost for the appealing party:

total_penalty   = sum(dissenter_bond × penalty_multiplier) at tier N
next_round_cost = jury_fee × panel_size(tier N+1)
subsidy         = min(total_penalty, next_round_cost)
remainder       = total_penalty − subsidy

→ subsidy    → appeal fee escrow for tier N+1
→ remainder  → coherent majority jurors at tier N (pro-rata by bond weight)

If no appeal is filed within the window, the full penalty pool releases to the coherent majority at tier N as originally intended. This recursive mechanism aligns incentives precisely: incoherent jurors subsidise the reconsideration of their own error, and the system becomes self-correcting without requiring a separate “loser pays” rule. The subsidy is zero when the prior tier was unanimous — no penalty pool exists — meaning the appellant bears full escalation cost when the prior verdict was already uncontested. The subsidy only materialises when there was genuine disagreement below, which is exactly when escalation is most legitimate. Coherent jurors at tier N+1 receive the subsidy as fee earnings once the appeal resolves, so the economic benefit still reaches honest jurors, with extra steps.

7.5.4 Appeal Scaling

Appeals trigger progressively larger jury panels: 3 jurors at first instance, 7 on first appeal, 15 on second appeal, 31 on third and final. Each appeal round requires a fresh bond contribution from the appealing party, partially offset by the appeal subsidy from the prior tier where dissent existed. The escalating panel size and the rising penalty ceiling at each tier make frivolous appeals self-deterring: a party that lost a unanimous 3-juror verdict receives no subsidy and faces a 7-juror panel whose dissenters — if any — will be penalised more harshly. Genuine recourse is preserved; manufactured escalation is expensive.

7.5.5 Calibration and Consistency Tracking

The protocol maintains a rolling consistency score for each jury node. Calibration cases — historical incidents with known consensus outcomes — are periodically injected into the jury queue. A juror who consistently misidentifies calibration cases is flagged for review and eventually excluded from the pool.

7.5.6 Dynamic Bond Floor, Fee Market, and Panel Composition

Capital, time, weight, and bounty. Each layer closes a gap the others leave open.

Pool closure and merit-based entry

The jury pool is closed to new entrants by default. The pool size has a target — the rolling median of the active juror count over the last 200 case-event windows — and when the current count meets or exceeds that target, no bond can be posted to join. This structural closure is the primary Sybil defence: it is not more expensive to attack, it is impossible to guarantee attack progress regardless of capital available.

A slot opens under two conditions. Natural turnover: when a juror voluntarily exits, is ejected for inactivity, or has their bond forfeited, the slot opens immediately. Demand undersupply signal: when the queue has been continuously non-zero for 72 hours despite fee rises, the protocol concludes the pool is genuinely undersized and opens one slot. If the queue clears before 72 hours, no slot opens — the fee mechanism was sufficient.

When a slot opens, the protocol broadcasts a single opening over gossip and a competition window begins. Entry operates on a three-track system depending on the maturity of the calibration library:

Track A — Coherence competition (post-genesis, primary track). Active once the calibration library holds at least 100 verified cases. Any node wishing to enter submits three things within a 48-hour competition window: (1) a non-refundable participation fee paid directly to one or more BCAEN archival nodes for case retrieval and review hosting — market-priced by bid/ask between applicant and archivers, protocol verifies only that payment to a bonded archival node occurred; (2) an intention bond of 0.1 BTC locked in escrow, scaled upward by applicant count as 0.1 BTC × applicants^0.3 — automatically returned to losers at window close, winner’s excess above 0.1 BTC refunded at bond lock; (3) independent review of 10 calibration cases selected from the BCAEN library, scored against the established consensus outcomes. The applicant with the highest coherence score wins the slot. Tiebreak: higher intention bond. The winner has 48 hours to complete the permanent bond lock; failure passes the slot to the next highest scorer.

The participation fee is the key non-refundable cost. A Sybil farm flooding the competition with 1,000 identities pays 1,000 market-priced BCAEN fees — every one of them, regardless of outcome. Each identity must also independently review cases and score well; the work cannot be distributed across Sybil accounts since each account’s score is independent. An attacker who genuinely outscores honest applicants on calibration cases has, in practice, become a calibrated honest juror. The participation fee revenue flows into the BCAEN archival pool, funding indefinite hosting of calibration cases — the more applicants compete over time, the more permanently the case library is funded.

Track B — Invitation (fast path, all phases). A current juror who has completed 50 or more cases with a lifetime coherence score of 90% or above may issue a signed invitation to a named candidate. The invitee skips the competition window, posts 0.1 BTC directly, and enters the normal calibration queue. No participation fee, no scaled intention bond. The inviting juror stakes their reputation: if the invitee votes incoherently or is ejected for misconduct within their first 30 cases, the inviter’s coherence score takes a proportional penalty. Capital cannot manufacture a legitimate invitation — it requires a vouching juror with real case history and skin in the result. Each juror may hold at most one outstanding invitation at a time. If no invitation is used within 48 hours of a slot opening, the slot proceeds to Track A or Track C.

Track C — Weighted lottery (genesis fallback). Active when the calibration library holds fewer than 100 verified cases and no invitation has been issued within 48 hours of slot opening. Applicants submit a scaled intention bond (0.1 BTC × applicants^0.3) within a 24-hour window. One winner is selected by weighted lottery: weight proportional to bond amount declared, capped at 3× the minimum. Winner has 48 hours to complete bond lock. Track C retires as Track A becomes available.

Inactive juror replacement

A closed pool accumulates stale accounts over time — jurors who posted a bond and qualified but are no longer taking cases. Stale jurors block entry for active candidates and reduce panel throughput without reducing the nominal pool count. The protocol ejects them and opens their slots.

A juror is flagged inactive when they decline or fail to respond to panel assignments on more than 80% of cases routed to them over the most recent 30 case-event windows, with a minimum of 5 cases in that window to avoid false positives during quiet periods. Flagging is local: each node tracks this from its own gossip view. When confirmed by a supermajority of peer attestations, the juror’s eligibility is suspended and their slot opens. The bond is not forfeited — inactivity is not misconduct — and the juror may re-enter a future competition if they resume activity. Inactive replacement only fires when the rolling average queue depth over the most recent 30 case-event windows is above zero: a quiet network with a slightly oversized pool is not a problem worth creating friction over.

Fee market

The per-case fee adjusts on every case close based on the current jury queue depth — the number of cases escalated to the jury tier and waiting for panel formation. The target is zero backlog. The adjustment is ±12.5% per case close, adapted from the continuous adjustment structure of EIP-1559^[8] but with a different signal and target: the fee rises when cases are waiting and falls when the queue is clear. On each case close: if queue_depth > 0, fee × 1.125; if queue_depth == 0, fee × 0.875. There is no protocol-imposed fee floor. The fee drifts freely downward whenever the queue is clear, settling wherever the market clears. A juror who finds the prevailing fee insufficient simply does not join active panels — the pool thins, the queue builds, and mechanism A pushes fees back up. The market self-corrects without needing a floor. The genesis starting fee is a calibrated parameter, not a permanent constraint. Cases with non-default jury quality configurations maintain their own effective queue segment: the fee signal for a 95% coherence threshold case responds to the depth of unresolved cases at that threshold, not the overall jury queue depth. A non-default configuration that cannot attract enough qualified jurors sees its fee rising independently until it either clears or falls back to defaults at the 72-hour mark. On a well-functioning network the queue should clear same-session for most cases — jury review of a well-documented incident with footage, GPS metadata, and signed attendance is a verification task, not a deliberative one. Panel assembly, review, and verdict typically resolve in minutes to hours. Unlike traditional arbitration which takes weeks or months, the jury tier is designed to operate at emergency response speed, consistent with the rest of the protocol.

Panel composition

At least two thirds of every panel must be drawn from reputation-qualified jurors — those with ten or more cases at an 80% or higher coherence rate. Selection within each tier is bond-weighted with sqrt compression, drawn from a random candidate pool of twenty before weighting is applied.

A fresh bond account with no case history is structurally confined to the open seats — at most one seat on a five-juror panel. Corrupting a majority requires three of five seats, which means at minimum two rep-qualified Sybil accounts landing on the same panel simultaneously. Building a rep-qualified account takes a minimum of fifteen days of real case participation per account and cannot be parallelised or accelerated with capital.

Configurable jury quality. Either disputing party may configure two panel parameters above the protocol defaults at escrow construction, enabling a premium service market for adjudication quality. The two settings are independent:

Coherence threshold (default 80%, configurable 80%–99%): raises the minimum coherence score required for the rep-qualified ⅔. At 90% only jurors with a 90%+ lifetime coherence score fill those seats. At 99% only the most consistently accurate jurors in the pool qualify. The higher the threshold, the smaller the eligible pool and the higher the market-clearing fee.

Open seat fraction (default ⅓, configurable to 0): removes the open seat allocation entirely, requiring all seats to be drawn from the rep-qualified tier at the set threshold. With both settings at maximum — 99% coherence, zero open seats — the panel is drawn entirely from the most seasoned jurors in the network.

The ⅔ rep-qualified invariant is non-configurable. No setting can reduce the rep-qualified share below ⅔. Raising the coherence threshold tightens the definition of rep-qualified; removing the open fraction raises the share to 100%. Both directions strengthen the Sybil defence. The protocol surfaces the current distribution of active jurors by coherence band as advisory network data, allowing parties to set realistic thresholds — an unreachable configuration falls back to defaults after 72 hours. The fee differential above standard is paid ad hoc by the requesting party from their own capital, not from shared escrow. The network data advisory, combined with the automatic fallback, means market reality self-corrects unrealistic demands without any administrative intervention.

Temporal seasoning and cohort detection

Effective reputation is discounted by a seasoning factor: rep_score × min(1, days_since_first_case / 90). Accounts that manufactured their case history rapidly are down-weighted in selection even after passing the raw coherence threshold. The protocol also tracks pairwise voting correlation across jurors — accounts that vote identically on close cases and also cluster geographically and temporally in their history accumulate a coordination penalty that reduces their selection weight.

Sponsored bonds

Any honest participant — insurer, security firm, high-reputation responder — may co-sign a direct bond top-up for a rep-qualified juror. Sponsored capital carries full direct-bond weight. Forfeiture hits personal capital first, then the sponsored portion — sponsors lose real money if the juror they vouched for votes incoherently. A rep-qualified Sybil at genesis floor competes in the same tier as a sponsored honest juror with a 0.5 BTC bond and carries 2.2× less selection weight. Capital cannot buy sponsorship — it requires standing in the honest community that a Sybil cannot manufacture.

Disputant quality bond

Either disputant may post an additional quality bond into the jury escrow before panel selection, distributed at verdict to coherent jurors only. High quality bonds attract heavily sponsored, seasoned jurors and rationally deter fresh Sybil accounts whose penalty exposure would be disproportionate to their weight. Both parties may post independently; neither can withdraw once posted.

Retroactive fraud detection

Retroactive review is triggered automatically rather than by individual submission. During normal operation, past cases are injected into the calibration queue alongside synthetic test cases. When jurors reviewing a real historical case accumulate a dissent rate of 40% or more against the original verdict across independent calibration reviews, the case enters the automatic re-review queue — no individual needs to scout the archive or claim a bounty. The signal emerges from aggregate juror activity. A 30-day time-lock after the original final verdict prevents retaliatory re-review of recently closed cases. Once queued, a retrospective panel of up to 31 jurors is convened. If the panel validates the fraud, every stake in the fabricated incident chain is forfeited simultaneously: caller bond, responder bonds, and the bonds of any jurors who participated in the corrupt verdict. The 90-day bond withdrawal delay described in section 7.5.7 ensures those juror bonds are still present to seize at the time of review.

Unified forfeiture destinations. All protocol forfeiture events route through a consistent framework. Trial costs — the review or jury panel fees, always at the normal per-case rate — are paid first from the seized capital. What remains follows rules specific to each forfeiture type:

Retroactive chain fraud forfeiture (fabricated incidents, corrupt verdict chains): panel paid at normal case rate from seized bonds; remainder enters the BCAEN redundancy subsidy pool, drip-released over 90 days. Elevated archival node yield during the drip window attracts new nodes to join; once established, those nodes remain for normal economics. The attacker's capital ends up strengthening the evidence infrastructure that detected them.

Caller misuse forfeiture (troll alerts, fabricated incidents confirmed by attending vote): seized stake distributed to attending responders as compensation for wasted time and presence, pro-rata by merit weight. The stake that induced them to attend on false pretences becomes their payment.

Responder misuse forfeiture (harmful intervention, phantom attendance, bad-faith attending vote): panel fees paid first; remainder indemnifies the harmed party. If the harmed party is the caller, remainder goes to the caller. If the harmed party is a competing responder whose reputation or earnings were damaged by the misconduct, remainder goes to that responder. If both are harmed, the jury verdict specifies the split. If no identifiable direct victim, remainder enters the dispute resolution fund.

Archival availability forfeiture (failed availability challenges, corrupted records): forfeiture funds replacement slot costs — the capital directly covers finding and onboarding a replacement archival node for the affected evidence. Any remainder enters the BCAEN redundancy subsidy pool.

Malicious BCAEN content forfeiture (prohibited uploads confirmed by jury): jury paid at normal case rate; remainder enters the BCAEN redundancy subsidy pool via 90-day drip release. Removal requires no fees — nodes drop the flagged content on verdict propagation. The uploader's stake funds the network's growth rather than the cost of deletion, which is zero.

Sponsorship cascade forfeiture (sponsor stake seized on invitee misuse): enters the dispute resolution fund, covering appeal subsidies and attending-vote costs generated by the invitee chain's incidents. The sponsor's capital covers the dispute costs their invitees produced.

No forfeiture event directly enriches the jurors who ruled on it beyond their normal per-case fee. This closes the captured-panel attack: a majority that falsely condemns honest participants cannot extract the seized bonds as a reward. The bonds fund the mechanism or indemnify victims; the panel earns only what any panel earns for a case of that size.

A Sybil farm accumulates forfeiture exposure with every manufactured incident. Every fake case it produces is a case that may later enter the calibration queue and be reviewed by independent jurors who have no stake in the original verdict. If those reviews accumulate 40% dissent from the original outcome, the case triggers automatic re-review. The farm cannot predict which cases will be reviewed or when — the detection is passive and continuous, not dependent on any single actor choosing to act. The longer the operation runs, the larger the forfeiture pool that can be triggered by the statistical signal alone. Time — the patient attacker's greatest advantage — becomes their greatest liability.

7.5.7 Bond Withdrawal and Exit

A juror who wishes to exit the role initiates withdrawal by broadcasting a signed exit declaration. From that point, a mandatory 90-day hold begins, timed from the close of the juror's most recent case. During the hold:

• The bond remains encumbered and subject to forfeiture if any retroactive fraud proof is validated against a case the juror participated in.
• New case assignments cease immediately on exit declaration — the juror does not accumulate further exposure after signalling exit.
• If a retroactive review is opened against any of the juror's cases during the 90-day window, the hold extends for the duration of that review, regardless of where in the 90 days the review was opened.
• If multiple retroactive reviews are opened, holds stack: the bond is not released until all active reviews resolve.

A juror with a clean case history exits at day 90 with their full bond returned. A juror whose history is under active review exits only after all reviews resolve — which, for a juror who participated honestly in contested cases, means the reviews clear and the bond returns; for a juror who participated in corrupt verdicts, means forfeiture on each confirmed case before any remainder is returned.

Good reputation accumulated over time provides no cover for targeted collusion. Each case is reviewed independently. A juror with five years of clean coherence scores and two corrupt verdicts hidden within that history faces forfeiture on exactly those two cases. The clean history does not offset the corrupt ones; it merely confirms that the remaining cases are clean.

Early release path. A juror may request a retroactive audit of their case history before the 90-day hold expires. Each audit convenes a retroactive panel on a specific case; the juror pays the panel fee. If the panel clears the case, that case exits the hold window. If all cases within the retention window are cleared before day 90, the hold releases early, subject to a minimum 30-day floor — sufficient for any outstanding fraud proof to surface before exit is permitted. This path allows legitimate jurors with large case histories to establish clean exits faster by actively demonstrating the cleanliness of their record, at the cost of audit fees. Malicious jurors requesting audits of their corrupt cases accelerate their own exposure rather than gaining early exit.

The 90-day withdrawal delay is also the mechanism that closes the "good reputation hiding collusion" attack. A juror who accumulated genuine coherence scores over time but participated in targeted collusion on specific high-value cases cannot liquidate their reputation and disappear cleanly. The retroactive window catches the specific cases; the hold freezes the bond on those cases; the reviewing panel forfeits it. The broader clean history is auditable separately and does not interact with the forfeiture on the corrupt cases.

The honest limit and the formal arbitration handoff

The layers above are calibrated for the realistic threat: opportunistic capital floods, patient reputation farming, coordinated but commercially-motivated adversaries. For disputes where a nation-state actor is a plausible threat — high-value commercial relationships, politically sensitive incidents, cross-border institutional parties — the voluntary formal arbitration path described in section 7.6 is the appropriate escalation. Parties who opt into a neutral non-state international arbitration framework — such as those administered by ICC, LCIA, UNCITRAL, or ICSID-style bodies, to name existing examples — embed that body's N-of-M pubkeys into a fourth Taproot spending path at escrow construction. The chosen institution adjudicates using the same BCAEN evidence the protocol produced, operating under its own independent international jurisdiction rather than under any state's domestic courts. A state actor attempting to corrupt a verdict governed by international commercial arbitration law, enforced through multilateral treaty frameworks, and backed by on-chain evidence distributed before anyone could suppress it faces a fundamentally different and far more complex attack surface than the protocol layer alone presents. The two systems are complementary: the protocol provides trustless coordination and tamper-proof evidence at speed; the formal arbitration layer provides institutional and legal weight that no on-chain mechanism can replicate.

The complexity of this mechanism is not incidental. Sybil resistance in an anonymous, permissionless system with real-world consequences is brutally hard.^[28] A simple random draw from a bond pool is captured by capital. A reputation auction is captured by incumbents. A fee market is captured by adversaries who bid low, win the seat, and corrupt the verdict. Each layer above — bond floor, reputation quota, temporal seasoning, cohort detection, sponsored bonds, disputant quality bonds, retroactive fraud bounties — is a response to an attack the previous layer did not fully close. The result is a mechanism that may work, but that no single person, including its authors, can fully reason about from first principles. That is not a failure of design. It is an honest acknowledgement of the attack surface.

On the pricing inversion

The deeper problem with juror selection is that a classical bid-ask price market for jury seats is structurally fatal. If the protocol allows adversaries to compete on price — bidding low per case to maximise seat acquisition — honest jurors with real opportunity costs cannot compete. The pool fills with the cheapest bidder, which is reliably the most malicious one. The solution already implicit in this design is to invert the incentive entirely: jurors do not get paid to be right. They lose bond for being wrong. The only rational juror is therefore one who is confident they can vote with the honest majority — which means having enough real case history and honest standing to predict where that majority will land. A malicious actor bidding for seats faces not a price competition but a penalty exposure. Between two and four times their stake gone — depending on how isolated their dissent is and which appeal tier they are at — if the honest majority overrides them. That asymmetry is the actual deterrent.

It only holds, however, if the honest majority is consistently present, uncorrelated, and not outnumbered. Which is precisely why the pool is closed by default and entry requires demonstrated coherence rather than capital, reputation seasoning blocks fresh accounts from majority seats, and cohort detection penalises coordinated voting. The pricing inversion is the core insight. The layers are what protect it.

The simpler alternatives and why they fail here

One candidate simplification: staked random sampling with long lockup and severe slashing. No reputation, no seasoning, no cohort detection — simply select N jurors at random from a bond pool at a high minimum (0.5 BTC or more), vote blind, and slash anyone outside one standard deviation of the median entirely. Simpler to reason about. But it immediately runs into the 50% control problem: an attacker who can accumulate more than half the pool by bond weight wins every vote, and the bond floor required to make that acquisition astronomically expensive also excludes every participant who is not already wealthy. You trade mechanism complexity for access exclusion and still do not solve capital capture — you merely raise its price. The closed-pool coherence competition solves this differently: it is not more expensive to attack, it is structurally impossible to guarantee attack progress regardless of capital. An attacker who genuinely outscores honest applicants on calibration cases has, in practice, become a calibrated honest juror.

The other candidate simplification — delegating arbitration to a small fixed federation of known, bonded, insured entities — is not actually an alternative to this protocol. It is already section 7.6. The formal arbitration path exists precisely for disputes where simplicity and institutional enforceability matter more than trustlessness. For insurer-subscriber disputes, security firm contracts, and commercially structured relationships where both parties agree in advance on a neutral arbitration venue, it is the correct choice. The protocol does not compete with it. It offers it as the appropriate escalation for anyone who wants it.

7.6 Voluntary Formal Arbitration Layer

For parties in pre-existing commercial relationships — an insurer and subscriber, a security firm and client — a voluntary formal arbitration path adds a federation multisig spending path to the escrow at construction time. The federation consists of credentialed AidCore nodes operated by a recognised arbitration body. The arbitration body adjudicates off-protocol using the BCAEN evidence as documentary record. This path is only available when all relevant parties share a pre-existing institutional relationship including a recognised arbitration clause — ICC, LCIA, UNCITRAL or equivalent.^[26][27]

8. Payment Protocol

8.1 Why Liquid (Standard Path)

The standard payment path uses the Liquid sidechain — an Elements-based Bitcoin sidechain offering one-minute block times, Confidential Transactions, and a richer scripting environment than Bitcoin L1. For standard stakes and bounties, Liquid\'s block time is fast enough that escrow construction does not introduce meaningful delay in incident response. Confidential Transactions hide amounts from third parties while preserving auditability for parties holding the blinding key.

8.2 Boltz as the Funding Rail

Participants who hold only Lightning balances fund their Liquid escrows through Boltz — a non-custodial submarine swap service that atomically exchanges Lightning sats for L-BTC and back. The swap is trustless: payment and delivery are linked by the same hash preimage, with no custodian holding funds at any point. Boltz operates as the entry and exit ramp at both ends of the protocol. On entry, a caller or responder with a Lightning wallet swaps sats into L-BTC, which lands directly in the Liquid escrow without the user ever managing an on-chain UTXO. On exit, settled escrow amounts — bounties paid to responders, stakes returned to callers, jury fees — swap back out to Lightning wallets via a reverse submarine swap. The result is a fully Lightning-native user experience on both sides: a caller with only a Lightning wallet can fund stakes, post bounties, and configure outcome rewards; a responder can receive all earnings directly to their Lightning node. The Liquid and Bitcoin L1 complexity is abstracted entirely by Boltz at both ends. Lightning itself does not execute or hold the conditional escrow — it is the funding and settlement rail only. The conditional logic, spending paths, and arbitration settlement all occur on Liquid or Bitcoin L1.

8.3 The Elements Script Escrow

The Liquid escrow is written in Elements Script — a superset of Bitcoin Script that adds covenant opcodes, OP_CHECKSIGFROMSTACK (CSFS), re-enabled arithmetic operations, and Taproot support. These capabilities have been live on the Liquid Network since 2021 (Elements 0.18, post-genesis upgrade) and are not experimental.^[10] OP_CHECKSIGFROMSTACK allows the escrow to verify arbitration signatures directly in script without requiring a pre-committed key list — enabling the merit-weighted N-of-M arbitration path to be enforced at the script layer rather than at the application layer. The optional federation multisig path for formal arbitration uses the same mechanism: the N-of-M pubkeys of the chosen arbitration body are embedded in the script at escrow construction time and hidden in a Taproot leaf until invoked. The three standard spending paths (cooperative release, arbitration verdict, CLTV timelock) plus the optional fourth federation path are each a separate Taproot leaf. Only the leaf used in settlement is revealed on-chain; unused paths remain hidden, improving privacy and reducing on-chain footprint. Confidential Transactions on Liquid hide the escrow amounts from third parties while remaining auditable to parties holding the blinding key.^[9]

8.4 Compatible Wallets

Any Liquid-compatible wallet may hold L-BTC stakes. The protocol does not endorse specific wallets. The companion app integrates wallet functionality for the caller experience — stake posting, bounty configuration, and earnings receipt — but does not custody keys. All signing occurs on the user\'s device.

8.5 Bitcoin Base Layer for Institutional Stakes

For institutional-scale capital — insurer pools, high-value conditional outcome rewards — the protocol uses Bitcoin L1 P2WSH scripts. The scripting environment is more limited than Elements: no CHECKSIGFROMSTACK, no confidential amounts. The three spending paths are expressed using standard Bitcoin opcodes: OP_CHECKMULTISIG for the arbitration path, OP_CHECKLOCKTIMEVERIFY for the timelock path, and a simple signature check for cooperative release. The tradeoff is explicit: L1 is slower and more expensive but carries the deepest security and widest wallet compatibility.

9. Trust Web and Onboarding

A network with no history is a network no one trusts. A network that builds history trustlessly is a network that earns trust.

9.1 Web of Trust Properties

Bitaid does not have a central reputation authority. Reputation emerges from on-chain stake history, caller ratings (stake-weighted), peer attendee ratings (merit-weighted), and BCAEN footage contribution inference.^[16] No single party can inflate or deflate a reputation score without corresponding on-chain evidence. A new responder starts with the minimum floor weight and builds from there.

Responder reputation is scoped to the grid cells in which incidents occurred. A track record built responding to incidents in one cell does not automatically transfer weight in a different cell. Local reputation is more informative than a global aggregate: a responder who has demonstrated calibration in a specific geographic context — local law, local threat profiles, local caller and responder behaviour — is meaningfully more trustworthy in that context than a global score implies. Cell-scoped reputation also closes a cross-geography farming attack: a Sybil operation cannot build reputation cheaply in a low-activity, permissive cell and then exercise that reputation weight in high-value disputes in a distant cell. The weight earned is the weight earned where it was demonstrated.

Jury reputation, by contrast, is deliberately global. Jurors are selected from cells geographically distant from the incident to prevent local bias and collusion — a juror's home cell should not be the incident cell. Their coherence score therefore draws on cases across the network, not just their local context. The two reputations are separate accumulators, separate role credentials, and non-transferable in either direction.

9.2 Path to Formalised Insurance

The insurance primitive the protocol enables is actuarially novel: uncorrelated local emergencies mean the insurer\'s pool faces limited simultaneous drawdown. A subscriber who experiences an incident in London does not correlate with a subscriber who experiences an incident in Singapore. The insurer can leverage collateral across a subscriber base with actuarial confidence unavailable to any single-location insurer. Life insurance integration is the natural endpoint: a \$2M life policy subscriber generates enough premium to fund a meaningful conditional outcome reward. The rescue reward functions as a hedge — if the responder succeeds, the insurer avoids the life claim.

10. Health Response and Community Intelligence

10.1 Medical Emergencies

Bitaid is not a medical dispatch service, but the same coordination infrastructure that routes security responders routes first aid responders. A caller in cardiac arrest triggers the same alert mechanism as a caller being mugged. The alert card displays the caller\'s self-reported medical information if configured. Responders with medical training may filter alerts by type. The conditional outcome reward for a medical incident may be configured to release on verified stabilisation — creating a market for rapid medical response that no public system currently provides.

10.2 Community Safety Intelligence

Aggregated incident data — stripped of identifying information — constitutes a real-time community safety signal. Dense incident clusters indicate areas of elevated risk. Persistent low-stake alerts in specific areas may indicate systematic troll activity or genuine local crime patterns. The protocol surfaces this intelligence to responders as a grid cell risk score — an advisory signal only, with no automated routing consequence.

11. Privacy and Security Architecture

11.1 Caller Privacy

Caller identity is held encrypted locally and never transmitted in plaintext. The alert contains a pseudonymous identifier derived from the stake UTXO — sufficient to verify bond validity without revealing identity. Full identity disclosure is caller-initiated only: if the caller chooses to disclose to attending responders or to a legal authority, they sign a disclosure transaction. The protocol does not automatically disclose caller identity to any party, including law enforcement.

11.2 Responder Privacy

Responder identity follows the same pseudonymity model. The responder\'s Core keypair is the only persistent identifier. Earnings are received to a Lightning or Liquid address designated at registration — not linked to any real-world identity by the protocol. Responders who choose to build public reputation may voluntarily link their pseudonymous identity to a verifiable credential, but this is never required.

11.3 Device Security

The companion app never transmits raw GPS coordinates to any server. Location data is embedded in signed alert packets and routed only over Tor. The Core daemon never holds signing keys — all signing occurs on the user\'s device. A compromised Core cannot forge signatures or redirect funds.

GPS spoofing is mitigated by cross-validation: multiple independent recorders at the same scene with consistent GPS metadata make coordinated spoofing expensive. Hardware attestation — GPS modules with cryptographic signing, tamper-evident body cameras — is a market-driven response. Insurers who require attested hardware for coverage create economic pressure toward adoption without protocol-level enforcement.

11.4 State Resistance

The protocol is designed to remain functional under adversarial state conditions. Tor routing obscures participant IP addresses for alert and gossip traffic. BCAEN uploads and retrievals are routed over a high-bandwidth anonymous transport (I2P or equivalent) that has no exit node architecture, removing the exit node surveillance surface. DHT-based discovery has no central bootstrap dependency. On-chain bonds cannot be seized without compromising the participant\'s private key. The protocol does not maintain any server infrastructure that can be court-ordered to produce logs.

12. Conclusion

Bitaid does not propose to replace public safety institutions. It does not need to. If the protocol works — if better incentives produce better outcomes, if adoption snowballs through the insurance flywheel, if professional responders find a real market where none existed before — human capital will migrate on its own. Not through conflict, not through political victory, not through the dismantling of anything. Through the oldest mechanism in economics: people go where the work is better compensated, better structured, and more meaningful. A responder who earns real income, builds a verifiable reputation, and operates under rules they can read and verify has a better career than one ranked by party affinity and sanctioned for using reasonable means. The transition, if it comes, will be gradual, voluntary, and entirely peaceful — a non-kinetic redistribution of human capital toward real demand, driven by the price signals that monopoly provision has always suppressed.^[14]

Every component of the protocol is independently motivated. The stake is motivated by the need to make troll alerts expensive. The bounty is motivated by the need to compensate presence. The conditional outcome reward is motivated by the need to price intervention. The jury tier is motivated by the need to resolve disputes without courts. The BCAEN — the Bitaid Content-Addressed Evidence Network — is motivated by the need for evidence that cannot be suppressed. The insurance primitive is motivated by the need to make the system accessible to people who cannot self-fund a meaningful stake.

None of these components requires trust in any central party. Each is enforced by Bitcoin script, by game-theoretic incentive alignment, or by cryptographic proof. Together they constitute a coordination system that can function in the gap between crime and institutional response — a gap that has always existed and is widening.

In 1998, Wei Dai published b-money^[30] — a proposal for a trustless, anonymous electronic cash system with no central authority. It was never implemented. Nakamoto cited it as reference [1] in the Bitcoin whitepaper. The idea did the work that the implementation could not yet do: it articulated the problem clearly enough, and planted it in the right minds, that a decade later someone built the thing that changed everything.

This whitepaper may be that kind of contribution. It may also be the thing itself. The authors make no claim either way. What matters is that the problem is stated, the architecture is sound, and the argument is in the open. If Bitaid ships and works, the market for civil security begins its correction. If it seeds something better — a cleaner implementation, a stronger cryptographic foundation, a more elegant economic model — that outcome is equally welcome. The goal was never credit. It was the displacement.

The protocol is open. No rights reserved.

Appendix A — Protocol Parameter Reference

All protocol parameters at genesis. Parameters marked deflating follow the 20% annual nominal schedule computed from Bitaid's application-layer genesis block height. Parameters marked calibrated are set at genesis and adjustable only through the governance-free fork mechanism (§5.6).

References