Double-Spend Assurance without Blocks: Designing Miner-Signed Proofs and Spentness Commitments in a Header-Only System
Why categorical proof of non-existence in the future is impossible, and how to achieve practical, court-quality finality with SPV, miner receipts, and Spentness Trees.
Thesis
It is impossible in a trustless distributed system to prove a negative about the future—that no conflicting transaction will ever exist. However, by combining SPV input proofs, miner-signed first-seen receipts, double-spend alerts, and cryptographic Spentness commitments, one can create a robust framework that provides categorical “as-of-height” guarantees and enforceable evidence of fraud. This framework delivers practical finality for 0-confirmation transactions using only block headers, transforming the economics of micropayments and scalable digital cash.
Keywords
Bitcoin, SPV, double-spend, miner receipts, UTXO commitments, sparse Merkle trees, RSA accumulators, fraud proofs, 0-conf, finality, block headers.
I. Introduction
The central difficulty in any distributed system is not proving what exists but proving what does not. Presence is trivial: a record, a signature, a branch in a Merkle tree. Absence is a different matter entirely. One cannot simply point to an empty page in a ledger and declare that it contains no entries. In a system without central authority, the statement “nothing else has been written” cannot be verified by fiat; it requires cryptographic structure and institutional commitment. This is the problem that underlies the perennial discussion of double spends in digital cash systems: how to know, in the moment of acceptance, that the same coins have not been or will not be promised to someone else.
Double-spend prevention is not an academic curiosity; it is the essence of digital money. Without it, coins are not property but theatre props, endlessly duplicated without consequence. The ability to prove that an input is uniquely spent is what transforms strings of bits into assets with scarcity and value. It is also what allows merchants to accept transactions instantly, without resorting to clearing delays that would defeat the purpose of fast electronic cash. The task is therefore to design a system that provides a merchant with categorical assurance that the coins presented to him are genuine, unspent, and bound to his receipt, even before the next block has been written.
Naïve Simplified Payment Verification (SPV), as set out in the original design, offers only part of this. By keeping block headers and requesting Merkle proofs, a lightweight client can verify that a given transaction was indeed included in a block. This proves existence, not exclusivity. The merchant can know that an output was created, but he cannot know, using only headers, whether it remains unspent or whether a conflicting transaction has emerged elsewhere. To rely on SPV alone is to accept that presence can be demonstrated but absence cannot.
The thesis of this work is straightforward: it is impossible to prove a negative about the future in a trustless environment. One cannot demonstrate that a transaction will never be contradicted tomorrow. What one can do is prove, categorically and cryptographically, that as of a known block height, the input was unspent and committed to a unique transaction, and that the entities with power to extend the chain have attested to this fact. The proper design therefore is not to attempt prophecy, but to construct receipts, proofs, and commitments that bind miners at a given moment in time. With these elements, a merchant can demonstrate to any court or counterpart that his acceptance was justified, and that any later equivocation is not accident but fraud.
What follows is the outline of such a system. It relies on four components: SPV input proofs tied to block headers; miner-signed acceptance receipts binding them to first-seen enforcement; real-time double-spend alerts producing equivocation proofs; and, at the structural level, Spentness commitments embedded into block headers via sparse Merkle trees. Together these provide practical finality at “zero confirmations” without downloading full blocks, reconciling the need for lightweight verification with the requirement of commercial certainty.
II. Background and Conceptual Limits
II. Background and Conceptual Limits
The formal problem to be addressed is deceptively simple: how can one prove that “no other transaction spends input X”? The requirement seems trivial when expressed in natural language, but its cryptographic and logical implications are immense. Existence can be proven; non-existence cannot. The assertion that a transaction output has not been spent elsewhere involves not only the present but an open-ended commitment about the future. In a distributed system without central arbiter, such a statement is, strictly speaking, impossible. One cannot produce a cryptographic proof of something that has yet to happen. What one can do, however, is produce proofs of the present and the past, and bind agents with power over the future to enforce exclusivity through incentives and signed commitments.
The impossibility of proving future negatives in trustless systems is fundamental. A system of distributed consensus can attest to the state of the ledger at block height H. It can show that input X was created in block B and has not been marked as spent up to the tip of the chain. This is a categorical fact, verifiable by any observer with access to the chain history. But the claim that “no one will ever attempt to double-spend X after H” cannot be proven without appeal to prophecy. The system can expose attempts, it can record them, it can punish them, but it cannot prevent them from being broadcast. The distinction must therefore be clear: cryptographic proofs apply to past and present states; future behaviour requires enforcement, incentives, and penalties for deviation.
The contrast between past/present verifiability and future prevention lies at the heart of any serious treatment of double-spend resistance. Past and present proofs are the domain of mathematics: Merkle proofs, signatures, headers, and accumulators. They are binary: either the transaction is in the chain up to height H or it is not. Future prevention, by contrast, belongs to economics and law. It is achieved not through proofs but through structures of cost, reward, and punishment. A miner who has signed a receipt committing to a particular transaction may later be caught in equivocation, and such evidence becomes enforceable in contracts and courts. The impossibility of trustless prevention is thus mitigated by institutional and economic teeth: miners are bound not by prophecy but by consequence.
The existing SPV model exemplifies both the power and the limit of header-based verification. In the original design, lightweight clients are expected to maintain the chain of block headers. When presented with a transaction, they demand a Merkle proof demonstrating its inclusion in a block. With headers only, the client can validate the chain of proof-of-work and check that the transaction is indeed buried under sufficient difficulty. This provides assurance that the transaction existed and was confirmed. For the purpose of long-term settlement, this is sufficient. Confirmation and burial by additional blocks make the probability of reorganisation vanishingly small.
But the same SPV model fails when brought to the question of instantaneous commerce—“zero confirmation” payments. A merchant does not wish to wait for multiple blocks; he wishes to know now whether the coins being offered are real and unencumbered. SPV can show that an input existed, but it cannot show that it has not been spent elsewhere in the present moment. The lightweight client cannot download the entire UTXO set, nor can it exhaustively scan the mempools of all miners. The very design of SPV acknowledges this limitation: it was intended to reduce verification to proof of inclusion, not proof of exclusivity.
Thus the limit is exposed. SPV provides mathematical certainty for what is in the chain, but no assurance about what is not yet in it. The difference between “this transaction is in block B” and “no other transaction spends these inputs” is the difference between confirming presence and attempting to prove absence. The former is trivial with headers and Merkle branches. The latter requires a new structure: one that transforms the economic incentives of miners into binding commitments, backed by receipts, proofs of equivocation, and, if implemented structurally, cryptographic commitments to spentness embedded into each block header. Without these additions, SPV suffices for eventual confirmation but fails for instantaneous double-spend detection. It provides half the picture—existence—but leaves the essential problem unresolved: categorical assurance that a transaction is the unique spend of its inputs at the moment of acceptance.
III. Input Existence and Unspentness Proofs
When a verifier holds only block headers, the burden of proof shifts decisively onto the payer. It is the payer’s responsibility to present not only evidence that the inputs they are spending exist, but also evidence that those inputs remain unspent at the time of payment. Without full blocks or a locally maintained UTXO set, the lightweight verifier has no independent way to construct such assurances. The payer, therefore, must supply a bundle of cryptographic evidence that, when checked against the block header chain, establishes both the creation and the present availability of each input.
The first component is straightforward and already exists in the original SPV model: the input existence proof. For each UTXO being spent, the payer must provide a Merkle proof linking the transaction in which that output was created to the block header where it was first recorded. This is the classic construction described in the Bitcoin white paper. The block header contains the Merkle root of all transactions included in that block. By presenting a Merkle branch from the leaf (the transaction creating the UTXO) up to that root, the payer allows the verifier to confirm inclusion. By traversing the header chain, the verifier can ensure that the block itself is part of the best proof-of-work chain. Thus, with only headers and Merkle branches, the verifier knows that the inputs did exist on the ledger at a specific historical height.
Existence alone is not enough. A transaction input might have been created years ago but spent yesterday. For the merchant to have confidence in accepting a new payment, the inputs must not only be valid but also unspent. This introduces the harder requirement: the proof of unspentness. Two primary approaches have been proposed and explored, one operational and one structural.
The operational route is the miner attestation. Here, the payer collects signed statements from miners or mining pools, each declaring that as of their current tip H: (a) the outpoint in question is present in their UTXO set, and (b) no conflicting transaction for the same outpoint is recorded in their mempool. These attestations function like signed receipts. They do not alter the protocol; they rely on miners’ operational honesty, backed by their economic interest in reputation and contract. The verifier, holding only headers, checks that the attestation comes from an identifiable miner, that it is fresh (tied to the current height), and that the miner controls measurable hash power. When such attestations are gathered from miners controlling a majority of hash rate, the merchant has strong grounds to rely on the unspent status. The trade-off is that attestations are extra-protocol, requiring infrastructure and trust in identifiable actors.
The structural route is the UTXO commitment. Instead of miners signing external statements, the blockchain itself is extended to include commitments to the current UTXO set. Each block header (or its coinbase) would commit to the root of a cryptographic structure representing the entire set of unspent outputs at that height. This could be a sparse Merkle tree keyed by outpoint, a Merkle Mountain Range, or an RSA accumulator. With such commitments in place, the payer can provide a proof that the outpoint being spent is indeed a member of the UTXO set at height H. Some structures, such as sparse Merkle trees, also support efficient proofs of non-membership. This allows the payer not only to prove that the UTXO exists but also to demonstrate that no spend has yet been recorded against it. The merchant, with only headers, validates the cryptographic proof against the committed root, just as they validate a transaction inclusion against a Merkle root. The trade-off here is protocol complexity: UTXO commitments require changes at the consensus level and may involve storage or performance overhead.
Each approach has its merits and limits. Miner attestations are deployable today without altering consensus rules, but they rely on a web of signatures from actors whose honesty is enforced economically rather than cryptographically. UTXO commitments provide stronger, protocol-native guarantees, reducing reliance on off-chain trust, but they demand structural changes and broad adoption. Attestations are flexible but fragile; commitments are rigorous but costly to implement.
From the merchant’s perspective, validation always reduces to headers plus proofs. When presented with a payment, the merchant verifies:
The existence of each input by checking the Merkle branch against the block header where the UTXO was created.
The unspentness claim by verifying either (a) the miner’s signed statement of its status at tip H, or (b) the cryptographic membership proof against the UTXO commitment root in the latest header.
In both cases, no full blocks need to be downloaded. Headers alone suffice to anchor all proofs to the proof-of-work chain. This design maintains the efficiency of SPV while extending it beyond simple existence. It transforms the role of the payer into that of a prover: the one who must assemble and supply the evidence, leaving the verifier to perform only lightweight cryptographic checks.
By this mechanism, merchants gain a practical way to judge the legitimacy of transactions in real time. They can confirm that the inputs being offered were once created and remain available. The problem of proving the future is sidestepped; the system instead supplies binding evidence of the present, backed by either miners’ signatures or structural commitments. This is the necessary foundation for reliable zero-confirmation commerce in a header-only environment.
IV. Miner Receipts and Pre-Consensus Commitments
If input existence and unspentness proofs establish the foundation of a secure zero-confirmation payment system, miner receipts and pre-consensus commitments provide the structure that turns those foundations into a building. The idea is simple yet radical: instead of treating miners as passive block producers who only matter after confirmation, treat them as active participants who can extend cryptographic assurances about their mempool behaviour in real time. A merchant or payee does not merely throw a transaction into the peer-to-peer network and hope for the best; rather, they deliver the transaction directly to those entities with the actual power to decide its fate—the miners and their gateways—and they collect signed receipts attesting that the transaction will be mined first and without conflict.
Direct Broadcast to Miners
In the naïve broadcast model of BTC-style networks, a transaction enters a gossip pool where it may or may not be propagated quickly to miners. If a conflicting transaction also exists, the merchant has little insight until it is too late. The pre-consensus model addresses this by cutting through the middle. The merchant or their wallet software connects directly to multiple mining gateways, pushing the transaction into their mempools immediately and receiving structured feedback in return. The feedback is not a vague “we saw it,” but a signed artefact that can be held, stored, and produced later in court if required.
The Structure of an AcceptanceReceipt
Each miner responds to the merchant with an AcceptanceReceipt, a digitally signed object containing specific fields:
Miner ID and public key: to identify who issued the receipt and bind it to a verifiable entity.
Timestamp: to anchor the moment of acceptance and create an evidentiary trail.
Transaction ID (txid) and inputs hash: to specify exactly what was accepted and prevent substitution.
No-conflict status: a signed statement that, at the time of receipt, no other conflicting transactions for those outpoints were present.
Time-to-live (TTL) promise: a declaration that the miner will enforce first-seen ordering for a defined window (for example, two hours), guaranteeing that no later conflicting transaction will be admitted during that period.
Optional mempool commitments: a Merkle root of the miner’s entire mempool state, together with a Merkle branch placing the accepted transaction within it. This elevates the receipt from a simple promise to a provable inclusion.
The critical feature is binding. Once signed, the receipt constitutes a public declaration. If the miner later accepts a conflicting transaction for the same inputs, they have cryptographically contradicted themselves, and the merchant holds an equivocation proof.
Practical Assurance from Multiple Receipts
A single miner’s receipt may offer comfort, but the strength lies in aggregation. By sending the transaction to a broad set of miners or mining gateways, the merchant collects multiple AcceptanceReceipts. The reliability of these assurances increases with the cumulative hash rate represented by the miners who have signed. If receipts are obtained from miners controlling, say, 60–80% of the current network hash rate, the merchant has what amounts to court-quality evidence: the very entities with the power to construct blocks have pre-committed to include this transaction first. The likelihood that the payment will be reversed is reduced to vanishingly small probabilities, no different in practice than a cheque cleared through a clearing house.
Hashrate Thresholds as Evidence
The ≥60–80% threshold is not an arbitrary number. Courts, regulators, and auditors will recognise that the risk of reversal depends on the power of potential adversaries. If receipts cover the super-majority of miners, then any subsequent double-spend attempt would require coordination among actors who have already signed contradictory statements. In such a case, the victimised merchant can produce receipts demonstrating both the original promise and the later equivocation. The miners implicated would face reputational ruin, contractual liability, or direct legal sanction. The receipts thus transform ephemeral mempool gossip into binding commercial assurance.
Economic Binding Through First-Seen Enforcement
The TTL promise in each receipt carries an economic effect. By signing, the miner commits to enforce first-seen ordering for the inputs of the given transaction. If they later attempt to admit a conflict, the signed receipt acts as incontrovertible proof of bad faith. When coupled with bonding mechanisms, insurance arrangements, or simply the reputation of established mining firms, this makes equivocation economically irrational. In other words, the receipt binds miners to the transaction not merely socially but financially.
Optional Mempool Commitments
Receipts can be made stronger through mempool commitments. A miner can publish a Merkle root of their current mempool at regular intervals. When they accept a new transaction, they can include a Merkle branch proving that the transaction is included under the current root. This transforms the “I promise” into “here is a cryptographic proof that, as of this moment, the transaction is part of my mempool.” The merchant can then validate that proof against the miner’s published root. Any later deviation is again provable fraud. Such commitments increase transparency and eliminate ambiguity about what was actually present in the miner’s working set.
Effective Zero-Confirmation Finality
The result of this design is a system that provides effective zero-confirmation finality without requiring full blocks. Merchants, holding only block headers, can accept a transaction as final the moment they receive receipts from a majority of miners. The receipts bind the entities who actually control block production. The system produces not theoretical probability but practical assurance—strong enough to satisfy courts, auditors, and commercial risk departments.
In this way, the model inverts the old trust dynamic. Instead of merchants blindly trusting the network to behave, the network’s decision-makers extend explicit, verifiable commitments. Fraud becomes detectable and punishable. Honest behaviour becomes the only rational strategy. And crucially, all of this occurs before a block is even mined, giving the speed of instant settlement with the reliability of cryptographic evidence.
This is how digital cash can scale to real commerce: not by waiting interminably for block confirmations, nor by trusting abstract committees, but by binding miners in advance, using receipts that carry both legal and economic weight. It is a marriage of cryptography and commerce that transforms zero-confirmation from a gamble into a contractual certainty.
V. Double-Spend Alerts and Equivocation Proofs
Zero-confirmation assurance is incomplete without a mechanism for real-time double-spend detection. Input proofs and miner receipts are not enough if conflicting transactions can still slip silently through the network. What merchants need is a channel where miners themselves—those with the capacity to create blocks—become active notifiers of fraud attempts. This transforms the double-spend problem from a murky probability game into a crisp evidentiary process: either a miner holds fast to its first-seen commitments, or it exposes itself as a liar through equivocation.
Real-Time Double-Spend Detection
In practice, merchants or wallets subscribe to notification channels maintained by miners or hash-rate weighted gateways. These channels operate via persistent connections—websockets, SPV streams, or similar protocols—through which miners broadcast alerts whenever they see a conflicting spend for a watched outpoint. This is not hearsay; the miner produces a cryptographically signed message identifying the outpoint, the original transaction, and the conflicting transaction.
The effect is immediate. Merchants can be alerted in real time if a double-spend attempt is underway, before it is ever mined. The merchant does not need to poll or speculate; the entities that matter for consensus are directly signalling what they see. This prevents “quiet” fraud and ensures that every attempted double-spend leaves a permanent, signed footprint.
The Equivocation Problem
The crux of miner accountability is equivocation. A miner cannot truthfully promise to mine transaction A first and later promise to mine transaction B—where both spend the same inputs—without contradicting itself. If a miner issues an AcceptanceReceipt for A (stating no conflicts and a TTL guarantee) and later issues a receipt for B, it has signed two mutually incompatible commitments. That contradiction is more than sloppy behaviour; it is cryptographic proof of fraud.
Equivocation transforms the double-spend risk from something fuzzy into something black-and-white. Without receipts, a miner can always claim ignorance or network delay. With receipts, the paper trail is undeniable. Once a signature binds a miner to a position, any subsequent reversal is self-incrimination.
Structure of a DoubleSpendProof
To formalise this process, miners issue DoubleSpendProofs. Each proof is a compact evidence package containing:
Outpoint: the input
(txid, vout)that has been double-spent.First transaction ID and second transaction ID: the two conflicting spends.
Timestamps: when each transaction was first seen.
Miner ID and signature: binding the statement to the specific miner who observed it.
This package is small, verifiable against block headers, and indisputable. Once collected, the merchant can present it as evidence of attempted fraud. If the same miner has issued both conflicting receipts, the contradiction itself is an equivocation proof.
Economic Penalties for Equivocation
Equivocation only matters if it carries a cost. Here the system’s strength is that penalties are not theoretical; they are both reputational and contractual. Miners who issue contradictory receipts can be exposed publicly, with their signatures as undeniable evidence. Reputational damage in a competitive mining market is a serious deterrent, as commercial partners will avoid those known to cheat.
Further, receipts can be integrated into contractual frameworks. Merchants and payment processors can establish agreements that miners must bond themselves to their receipts. If a miner equivocates, the signed evidence triggers forfeiture of a bond, loss of insurance, or other contractual sanctions. By attaching economic weight to equivocation, the system ensures that dishonesty is never a free option.
Provable Fraud vs. Plausible Deniability
Without receipts and DS proofs, miners can always hand-wave: “the network was slow,” “we didn’t see the first transaction,” “the conflict arrived first on our side.” With equivocation proofs, those excuses evaporate. A miner who signs both sides of a contradiction cannot plead ignorance. The cryptographic record is damning, and fraud is no longer a matter of speculation. It is provable, auditable, and enforceable.
This shift has profound implications. The entire history of digital cash has been haunted by the uncertainty of zero-confirmation payments. Merchants had to rely on probability and heuristics, trusting that the cost of mounting a double-spend attack outweighed the gain. But with miner receipts and DS proofs, the equation changes: dishonesty is not just risky, it is self-destructive.
Incentives Recast
The final piece is incentive. In this system, honesty becomes rational, dishonesty becomes costly. A miner who honours its first-seen commitments secures its reputation, preserves commercial relationships, and avoids contractual penalties. A miner who equivocates leaves behind cryptographic fingerprints that can be weaponised against it in court or commerce.
This is the essence of aligning incentives in distributed systems: not assuming perfect honesty, but ensuring that dishonest behaviour is punished by the system itself. Equivocation proofs guarantee that fraud cannot be invisible, and economic penalties ensure that fraud is irrational.
Together, real-time DS alerts and equivocation proofs transform zero-confirmation from a gamble into a reliable, evidence-backed process. Fraud moves from the shadows of probability into the light of cryptographic accountability. The merchant is no longer a victim of uncertainty but an empowered actor holding binding evidence in hand.
VI. The Spentness Tree: Cryptographic Commitments
The final step in transforming assurances into categorical proofs is the Spentness Tree: a cryptographic structure designed not merely to show that an input once existed, but to prove as of a given block height that it was either unspent or spent by a unique, verifiable transaction. This is the shift from probability to certainty—anchoring double-spend detection in mathematics rather than heuristics or miner attestations.
From Assurance to Categorical Proofs
Traditional SPV provides existence proofs but not non-existence proofs. One can show that a transaction was included in a block, but not that a given outpoint has never been spent. Attestations from miners—signed declarations that they have not seen a conflict—improve confidence but remain operational promises. They provide practical assurance but stop short of categorical proof.
The Spentness Tree fills this gap by enabling proofs of both membership (“this outpoint has been spent by txid Y”) and non-membership (“this outpoint remains unspent up to height H”). Once integrated into the block structure through committed roots, the Spentness Tree makes equivocation cryptographically detectable and thus economically irrational.
Design of the Spentness Tree
The structure is simple but powerful.
Key: the outpoint, defined as
(txid, vout).Value: either empty (unspent) or
hash(spending_txid)(if spent).Data structure: a sparse Merkle tree (or equivalent cryptographic accumulator).
Sparse Merkle trees are particularly well-suited because they allow succinct proofs of both presence and absence. A given outpoint corresponds deterministically to a leaf. If the leaf is empty, one can prove non-membership by showing the Merkle path to an empty node. If the leaf is set to hash(txid), one can prove unique membership by supplying the Merkle path and verifying it against the committed root.
Workflow: Proving Spentness
The merchant workflow proceeds as follows:
Non-membership proof at H. Before accepting payment, the merchant requests from miners a proof that each input outpoint’s leaf is empty at height H. The proof is a Merkle branch leading to the tree root, showing the value is unspent.
Update and signed receipt. When the miner accepts the new transaction, it updates the leaf from empty to
hash(txid)and produces a signed update receipt. This receipt contains the old proof (empty leaf), the new proof (leaf =hash(txid)), and the two corresponding roots. The miner signs a statement binding both roots to the txid.Commitment in block header. In the next block, the miner commits the updated root into the block header (or an extension header). Now the blockchain itself anchors the updated state.
Why This Works
With this workflow, the merchant holds a chain of proofs:
Proof that the input was unspent up to height H.
A miner-signed receipt that the input was then spent by txid Y.
A block header committing the new tree root, verifying that state transition.
This combination ensures that the input was uniquely spent by the merchant’s transaction. Any attempt to later spend the same outpoint would require producing a conflicting tree root. But since miners sign and commit each root, conflicting roots expose cryptographic equivocation—a provable fraud.
Guarantees and Finality
The Spentness Tree offers two key guarantees:
Unspentness up to H. A non-membership proof demonstrates that no prior spend of the outpoint existed before height H.
Unique spentness thereafter. The transition from empty to
hash(txid)proves that the merchant’s transaction, and no other, claimed the input.
No later conflicting update is possible without a signed contradiction. Thus, double-spends are not merely detected—they are categorically prevented at the cryptographic level.
Advantages of the Spentness Tree
The elegance of the system lies in its efficiency. Proofs are succinct, logarithmic in size, and easily verifiable using only block headers. The merchant does not need to download full blocks or maintain the UTXO set. All that is required are:
Headers to anchor Merkle roots.
Proof branches for each input.
Miner-signed receipts for updates.
This design is scalable. It avoids the burden of carrying full UTXO sets or requiring each merchant to run a full node. It also formalises miner accountability by making dishonesty provable, not arguable.
From Practical Assurance to Cryptographic Certainty
The Spentness Tree is the missing piece that moves zero-confirmation from practical assurance into categorical, court-quality proof. Combined with miner receipts and DS notifications, it makes the system robust not only in practice but in principle. With it, merchants can transact at scale with confidence, knowing that their inputs are uniquely theirs, and that fraud leaves an unerasable, provable trail.
VII. Storage and Chain-of-Custody
For the merchant, the real achievement of this design lies not in cryptographic novelty but in the simplicity of what must be retained. The storage burden is minimal, yet the evidentiary strength is immense.
The merchant does not need terabytes of block data or a live UTXO set. Instead, the package is lean:
Block headers — the immutable backbone of proof, anchoring every claim to the chain.
SPV input proofs — Merkle branches showing each input’s creation in a valid block.
Miner receipts — signed attestations binding specific miners to first-seen acceptance of the transaction.
Double-spend proofs (if any) — signed contradictions that, if they exist, expose equivocation in plain, undeniable form.
Spentness proofs — Merkle paths showing the input was unspent up to height H, then uniquely spent by the txid in question, bound by miner signatures and header commitments.
Together, this package forms a complete chain of custody for every payment. It is compact enough to be stored on a laptop or even a phone, yet robust enough to be presented in court as categorical evidence. No full node required, no sprawling datasets—just a cryptographically sealed dossier that proves both existence and exclusivity of the spend.
The comparison to traditional models is stark. A full node offers raw completeness but little in the way of practical legal accountability: terabytes of data, but no explicit receipts tying individual miners to their commitments. Here, by contrast, receipts and proofs are bound to identifiable entities—the very hash power that decides the chain’s future. Accountability is not abstract; it is personal, direct, and undeniable.
This is lighter than a full node but legally stronger. The system reduces storage while elevating trust, not by faith, but by turning every miner’s word into a signed, verifiable contract. Equivocation is no longer a suspicion; it is a cryptographic fact. And in law, as in commerce, facts that can be proven are what matter.
VIII. Why This Works and Its Limits
The central fact must be repeated without apology: you cannot prove a negative about the future. No cryptographic system can conjure a guarantee that tomorrow, or the block after tomorrow, some rival transaction will not emerge. What you can do—and what this design does—is establish categorical truth as-of-height H. At that height, the inputs existed, they were unspent, and they were bound to your transaction by the very entities who alone possess the power to create blocks.
Miner receipts convert the intangible into evidence. When miners sign “first-seen” commitments, they are not merely whispering intentions but issuing cryptographic contracts. If later they accept a conflicting spend, the equivocation is demonstrable. Fraud ceases to be a matter of suspicion or rhetoric; it becomes provable with a package of signed proofs that no court can dismiss. The introduction of cryptographic receipts transforms dishonesty into an economically irrational act. Miners gain nothing lasting by cheating, but they risk permanent reputational ruin, contractual penalties, or forfeited bonds.
This aligns incentives. Honest mining is not a moral preference; it is the rational path. By signing receipts and maintaining consistency, miners secure their position in the economic order. By cheating, they broadcast their duplicity to the world in a form that cannot be denied. In such an environment, honesty emerges as the equilibrium strategy, not by appeal to virtue but by the cold calculus of game theory.
There are, however, limits. This system rests on miner signatures and thus requires broad hashrate participation. A single receipt proves little; meaningful assurance arises only when a majority—60 to 80 percent of recent hash power—has placed its commitment behind the transaction. Further, there is a trade-off between latency and assurance. A single miner’s receipt may provide near-instant acceptance, but broader coverage requires seconds or minutes of propagation. Practical commerce will balance these factors depending on risk tolerance and transaction size.
Despite these limits, the outcome is profound: real 0-conf commerce at scale. Payments can be accepted in seconds with receipts that offer court-quality assurance. Disputes can be resolved not by endless forensic chain analysis but by pointing to receipts, roots, and proofs. The chain of custody is clear, compact, and legally decisive.
The old refrain that “0-conf is unsafe” collapses under this model. It is unsafe only in systems where fraud cannot be proven and punished. Here, fraud is traceable, provable, and economically self-defeating. Future non-existence will never be provable. Present exclusivity, however, can be—and that is sufficient for commerce, law, and civilisation itself.
IX. Broader Implications
The consequences of this model stretch far beyond the technical. For digital cash, it restores the long-promised capacity for real micropayments—transactions measured in pennies or fractions of pennies, settled instantly, and accepted with confidence. Coffee, machine-to-machine tolls, streaming payments by the second—all become practical, not theoretical. Settlement occurs as fast as a packet can move, yet carries with it receipts that bind the very creators of blocks.
For law and commerce, the shift is seismic. Merchant acceptance no longer relies on probabilistic comfort or vague assurances but on receipts that rise to the level of court-quality evidence. A signed miner commitment is no different, legally, from a banker’s certified note. Fraud, once an elusive spectre in the digital realm, becomes a tangible act that can be shown, proved, and punished. Disputes are not relegated to the chaos of opinion; they are adjudicated with evidence of cryptographic integrity.
For scaling, the implication is liberation. With headers-only verification, billions of users can transact without ever touching full blocks. The burden of storage, bandwidth, and constant sync evaporates. Lightweight clients gain not only efficiency but legal and commercial strength. The dream of a global system—billions of wallets exchanging trillions of transactions—is no longer fantasy. It is structurally feasible.
In historical context, this is a return rather than a departure. The original design envisioned a network where lightweight clients could operate securely, relying on proofs and structure rather than blind trust. What is proposed here extends that vision with modern cryptographic tools: sparse Merkle trees, miner receipts, double-spend proofs. The principle remains unchanged—simplicity, scalability, integrity—but the machinery matures.
What emerges is a system that is not only technically sound but commercially and legally viable. It is not an academic curiosity, nor a fragile experiment, but a foundation on which global commerce can be built.
X. Conclusion
The central thesis has been plain throughout: no system can prove a negative about the future, and double-spend prevention is no exception. What can be achieved, however, is categorical assurance “as-of-height”—a proof that, at a given moment in the ledger’s progression, inputs were real, unspent, and bound uniquely to the presented transaction. This is not prophecy but evidence, and in commerce evidence is what matters.
The mechanism is layered but not complicated. At its foundation lie the same tools that defined the earliest vision of digital cash: block headers and Merkle proofs, the machinery of SPV. Upon this base come miner receipts, the explicit commitments of those who alone can shape the chain. These commitments, signed and timestamped, attest to first-seen status and rule out conflicts at the point of entry. Surrounding this process are real-time double-spend alerts, signed disclosures that transform equivocation from suspicion into demonstrable fraud. And crowning the structure is the Spentness Tree, a cryptographic commitment to unspentness and unique spend, secured in roots embedded into block headers.
Taken together, these parts deliver a chain of custody that is light to store, simple to verify, and weighty in law. The merchant need not trust vague assurances of eventual confirmation, nor wait interminably for blocks; he holds receipts that can stand in court, backed by cryptographic integrity and economic incentives. Fraud is not impossible, but it is detectable, provable, and therefore punishable.
The result is practical finality without full blocks. It is commerce at the speed of communication, underpinned by receipts and commitments rather than hope. It is a design that honours the original intent—digital cash at scale—while arming it with the cryptographic tools to thrive in an age of billions of users and trillions of transactions. This is how double-spend detection and assurance can be achieved off-chain, and this is how digital cash becomes not just possible, but usable, at last.