Blockchain: The solution has finally found its problem
For over a decade, blockchain has been a technology in search of a use case that ordinary people actually need. Humans already have trust infrastructure: banks, courts, legal contracts, social reputation. Imperfect and expensive, but functional enough that switching costs outweigh the benefits of decentralization.
AI agents have none of that. No credit score, no bank account, no legal standing, no reputation that transfers across systems. Every agent is, by default, a stranger. And unlike humans, agents will transact millions of times per day, with other agents they have never encountered, across organizational and model boundaries, often for sub-cent amounts, at machine speed. Trustless transactions between parties with no prior relationship is precisely the problem blockchain was designed to solve.
But trustless transactions still require identity. An agent spending money needs to prove it acts on behalf of a real human with real accountability. A service agent needs to prove its provider has a track record. The agentic economy needs identity infrastructure that works for both humans and the machines acting on their behalf.
Nagori is that infrastructure. It is a graph-density identity system on Algorand where trust accumulates through lived experience rather than being granted by authority. Humans build identity through attestation graphs. Agents inherit trust through human-delegated authority: scoped, revocable, and traceable back to a real person with a real track record. The system provides the missing identity layer between blockchain settlement and the agentic economy.
Two trust gaps, one root cause
The human identity gap
Every identity system hits the same recursive question: who verifies the first verifier? Passports are trusted because the state issues them. The state is trusted because it has the biggest guns. This works, up to a point. But it means identity is coupled to sovereignty, and sovereignty is coupled to geography. Cross a border and your identity degrades. Lose your documents and you functionally stop existing.
Dig into what a passport actually proves and you find three distinct claims tangled together:
Liveness. Are you a biological human? Not a bot, not a synthetic identity, not a deepfake.
Continuity. Are you the same person who registered? Not someone borrowing or stealing a credential.
Uniqueness. Have you registered only once? You don't hold a second identity under another name.
These three properties have different failure modes and different attack surfaces. Bundling them into one document means compromising any one compromises all three. It also means the issuing authority must be trusted across all three dimensions simultaneously, which is a lot of trust to place in any single institution.
The machine trust gap
AI agents are starting to transact autonomously. A Claude agent hires a GPT-4 agent to run a subtask, which calls a Gemini agent for translation, which pays an open-source agent for specialized data. Each step crosses organizational boundaries. No company trusts another company's internal ledger. No agent has a credit history, a legal identity, or a reputation that persists across contexts.
Humans can fall back on banks, courts, and contracts to resolve disputes. Agents cannot. They operate at machine speed, in volumes that make human dispute resolution impossible, for amounts too small for any court to adjudicate. The traditional trust stack does not scale to the agentic economy.
Both gaps share the same root cause: there is no neutral, decentralized way to prove who you are, who you represent, and whether you can be held accountable. Nagori unbundles identity and proves each property independently, for both humans and the agents acting on their behalf.
The agent economy is the use case blockchain was built for
Satoshi's original paper described a system for two parties to transact without trusting each other or relying on an intermediary. For humans, that is a niche need. For AI agents, it is the default condition of every interaction.
The heterogeneity problem
Early agentic systems are walled gardens. A Claude agent talks to another Claude agent, billed to one Anthropic account. But the moment agents cross vendor boundaries, you have a multi-party trust problem with no neutral arbiter. Blockchain is the only settlement layer that does not require any party to trust any other party's internal bookkeeping.
Atomic composability
When an agent orchestrates a 12-step workflow across 7 sub-agents, you need atomicity: either the whole thing executes and settles, or none of it does. Smart contracts handle this natively. Traditional payment rails were designed for bilateral, sequential transactions. They cannot express "pay agent C only if agents A and B both completed their subtasks within 30 seconds."
Micropayments at machine scale
Agents executing thousands of sub-cent transactions per minute cannot use payment rails designed for $5 minimum charges, 3% fees, and 48-hour settlement windows. Algorand settles in 3.3 seconds for approximately 0.001 ALGO per transaction. The economics of machine-speed commerce require blockchain-native settlement.
Blockchain gives agents trustless settlement. But settlement without identity is just anonymous money movement. An agent needs to prove: I act on behalf of a real human. That human has accountability. My authority is scoped and revocable. The human's track record backs my transactions. This is the identity layer the agentic economy is missing. This is Nagori.
Five inversions
Each principle emerged from inverting a conventional assumption about what makes identity hard.
1. Identity is revealed, not created
Every living human already carries enormous identity density, fragmented across dozens of systems: bank accounts, medical records, employment history, utility bills, social connections, purchase patterns. The system does not create identity from nothing. It recognizes and aggregates evidence that already exists. An immigrant arriving in a new country does not start at zero. They carry portable graph density from their origin, weighted by the graph density of their origin attestors.
2. Privacy strengthens identity
The system does not need to read the content of edges, only count them and verify their provenance. Encrypted edges are still edges. Exercising privacy controls is itself a signal of genuine identity. Bots do not file privacy requests. The act of managing, restricting, and selectively disclosing attestations is a pattern that synthetic identities struggle to replicate.
3. Weight is emergent, never assigned
No committee decides that a bank attestation outweighs a social one. The weight of any edge equals the graph density of the attestor who created it. This is PageRank applied to identity. Institutions earn their weight through the density and diversity of their own connections. A corrupt institution that loses relationships sees its edges lose weight organically. The system self-corrects without anyone making a judgment call.
4. Prove without revealing
Identity verification typically forces a choice: disclose everything or prove nothing. Nagori's ZK layer inverts this. You can prove your graph density exceeds a threshold, that you hold attestations across N categories, that your agent is authorized for a specific scope, all without revealing the underlying data. An agent negotiating a contract can prove its principal has a forgery resistance score in the 90th percentile without disclosing who that principal is, what their attestations contain, or which institutions back them. Selective disclosure applies to every layer of the system.
5. Death is the ultimate proof of having lived
When a person dies, dozens of independent systems confirm it simultaneously: medical records, state registries, bank freezes, employer revocations, utility closures. This convergence of uncorrelated signals is the highest-density identity event a human can produce. The identity does not disappear. It transitions from active agent to historical record. The graph persists, frozen but verifiable, and continues to receive edges from the living. Death is the strongest attestation the identity system can register.
Nine layers
Nagori is organized into nine layers, each addressing a distinct function. The layers are designed to be independently verifiable, so a failure or compromise at one layer does not cascade through the system.
L0: The Physical Anchor
L0 is the one concession to physicality. It is not the root identity itself, just one edge in the graph. Its purpose is narrow: prevent pure-digital sybil attacks at system bootstrap, before graph density has accumulated enough signal to catch fakes on its own.
L0 must establish three things: that a biometric was captured from a living human (liveness), that the capture happened on trustworthy hardware (integrity), and that this human has not already registered under a different identity (uniqueness). The first two are solved problems. The third is where it gets hard.
The Secure Enclave Problem
Consumer devices ship with capable biometric hardware. The iPhone's Secure Enclave and Google's Titan chip handle liveness detection and biometric matching in tamper-resistant environments. This is excellent for authentication: confirming that the person holding the device is the person who enrolled on that device. It is a 1:1 matching problem, and the hardware solves it well.
Nagori's uniqueness oracle requires the opposite: identification, a 1:N matching problem. The system needs to answer whether this person has enrolled on any device. The Secure Enclave's entire security model was engineered to make this impossible. The privacy guarantees that make consumer biometric hardware trustworthy are the same guarantees that prevent cross-device uniqueness comparison.
Capture biometric directly through the camera, compute a one-way hash on-device, submit to a uniqueness oracle. Secure Enclave still handles liveness. Problem: consumer cameras aren't calibrated for biometric-grade cross-device comparison. Same face, different hash on different devices. This is why Worldcoin built custom Orb hardware.
Apple's App Attest and Google's Play Integrity prove a request originates from a real, unmodified device with biometric unlock. Gives liveness and integrity, not uniqueness. Mitigation: bind one DID per device attestation key, permanently. Sybil attacks then require multiple physical devices. Graph layers compensate above.
Accept weaker sybil resistance at launch. Early in the system, attacks are cheap regardless of biometric quality. The real sybil resistance comes from L2/L3: the cost of maintaining a fake identity across uncorrelated attestors over years. L0 becomes less critical as graph density grows. Tighten later.
Bootstrap is not a paradox. Every living human already has massive identity density across fragmented systems. The system doesn't create identity from nothing. It reveals identity that's already there. L0 is the moment an existing identity graph gets a single address.
L1: Identity Node
A decentralized identifier (did:algo) is generated on Algorand, anchored by a Falcon-1024 post-quantum key pair. The private key never leaves the holder's device. The DID document contains public key material, service endpoints, and delegation policies. No personal data. The document is the identity.
On creation, the ingestion protocol immediately begins absorbing pre-existing edges: bank relationships, utility accounts, social connections, employment records. Each ingested edge is verified by its source and timestamped to its original date, not the ingestion date. A person who has maintained a bank account for fifteen years enters the system carrying fifteen years of evidence on day one.
L2: Attestation Graph
Every interaction that produces a verifiable record becomes an edge: institutional attestations, social attestations, transactional attestations, temporal attestations, and encrypted attestations. Encrypted edges are still edges. A zero-knowledge proof can demonstrate that an attestation exists, was created by an entity with a specific graph density, and falls into a particular category, all without revealing its content. Privacy and verification reinforce each other.
L3: Graph Analysis
Three algorithms operate at L3. Recursive attestor weighting sets the weight of an edge equal to the graph density of the attestor who created it. This recurses: the attestor's density is itself a function of the density of their attestors. No committee sets parameters. Weight is an emergent property of the network.
The category diversity score penalizes concentration. An identity with ten bank attestations and nothing else is suspicious. Breadth across uncorrelated categories is what's hard to fake.
The forgery resistance score estimates the cost, in time, money, and coordination, to synthetically reproduce an identity's graph from scratch. Time is the hardest thing for an attacker to fake. This is the real confidence metric.
L4: Zero-Knowledge Proof Layer
AlgoPlonk ZK-SNARKs enable selective disclosure. An identity holder can prove their graph density exceeds a threshold, that they hold attestations in at least N categories, that their forgery resistance meets a minimum, all without revealing underlying edge data. Proofs are generated on-device and verified on-chain.
L5: Confidence Thresholds
Verifiers set their own thresholds, published on-chain for transparency. A low-value agent transaction might accept a graph density above 0.3. A high-value contract delegation might require 0.9 with minimum category diversity of 5. On-chain publication means thresholds are publicly auditable. If a platform sets unreasonable requirements, anyone can see it.
L6: Agent Delegation
L6 is the bridge between human identity and the agentic economy. A root identity (human) signs a delegation credential to an agent DID. Each credential specifies scope of authority (transaction limits, permitted action types, domain restrictions), expiry conditions, and revocation terms. The cryptographic chain from agent back to root is verifiable by any counterparty in a single on-chain lookup.
When an AI agent presents itself to another agent or service, it proves: I am authorized by a human whose graph density is above your threshold. My authority is scoped to this type of transaction. My principal can revoke me instantly. This gives the counterparty what it needs: accountability traceable to a real human, without requiring that human to be present for every transaction.
Agent activity accumulates attestation edges back to the root identity. A hundred agents acting on your behalf creates a hundred streams of edge accumulation. Your agents make your identity denser, not thinner. Delegation credentials can include death-triggered succession clauses that execute automatically when L7 detects the mortality signal.
Traditional systems give AI agents no identity at all, or give them identity disconnected from human accountability. Nagori connects them: every agent transaction is traceable to a human identity with graph density behind it. If an agent misbehaves, the principal's graph absorbs the damage. Delegation is the economic link between human reputation and machine action.
L7: Identity Mortality
When a person dies, the system detects the convergence of uncorrelated signals: medical confirmation, state registration, bank freezes, employer revocations. The identity transitions to a permanent, read-only historical record. Delegated agents execute succession logic. The graph persists and continues to receive edges from the living.
L8: Applications
The architecture supports any context where proven identity and accountability are prerequisites. Agentic commerce is the primary use case: agents transacting across organizational boundaries with delegated authority and traceable accountability. Voting with deniable receipts (where the system generates plausible receipts for every option, collapsing the economics of coercion) is a second application that exercises the full stack. Credential verification, supply chain attestation, and cross-border identity portability are additional targets as graph density matures.
Built for identity that outlives the current cryptographic era
The base layer for an identity system carries different requirements than a DeFi protocol or NFT marketplace. Identity is a long-duration asset. An attestation graph accumulates value over years or decades. And when that identity layer also serves the agentic economy, the base layer must handle machine-speed transaction volumes with deterministic settlement. Algorand provides both.
Deterministic Transaction Finality
When someone attests to a relationship or a ZK proof is verified on-chain, that fact needs to be settled. Not probabilistically settled, but deterministically final in a single round. Algorand delivers finality in approximately 3.3 seconds. No forks, no reorganizations. An attestation that is confirmed stays confirmed.
For a system where trust accumulates through graph density over time, the base layer cannot rewrite history. A chain reorganization that reverses attestations would undermine the temporal signal that the forgery resistance score depends on. For agent-to-agent transactions that need instant settlement, probabilistic finality is not an option. Finality is a correctness requirement for Nagori, not a performance preference.
Layer-1 Sovereignty
Building identity on a layer-2 chain introduces dependencies that contradict Nagori's design philosophy. An L2 sequencer is a trust intermediary that can censor, reorder, or delay attestation transactions. For a system premised on the principle that identity is revealed through lived experience rather than granted by authority, depending on a sequencer's honesty is a structural contradiction.
Algorand's L1 processes every transaction through the full validator set under Pure Proof-of-Stake consensus. In December 2025, peer-to-peer networking launched as an opt-in feature, enabling nodes to connect through permissionless repeaters rather than relying on permissioned relay infrastructure. Validators increased 121% to nearly 2,000, with online stake doubling to approximately 2 billion ALGO.
Transaction Throughput
For human attestation writes, this capacity is more than sufficient. For agentic commerce, where thousands of agents may be transacting simultaneously, the headroom matters. The protocol's stated next target is 10,000 TPS through further round-time optimizations. At 0.001 ALGO per transaction, the fee structure supports the sub-cent micropayments that machine-speed commerce requires.
Post-Quantum Cryptography
Identity graphs must outlive the current cryptographic era. If quantum computing breaks Ed25519 within the lifetime of an attestation graph, every accumulated edge becomes vulnerable. An attacker would not need to forge new attestations. They would only need to derive private keys from public keys and retroactively compromise the graph's integrity.
In November 2025, Algorand executed the first post-quantum transaction on a live public blockchain using NIST-selected Falcon-1024 signatures. Real digital assets were transferred on mainnet, secured by lattice-based cryptography resistant to Shor's algorithm. Algorand's state proofs already use Falcon signatures to secure blockchain history every 256 rounds, meaning attestation edges recorded today will remain verifiable even if quantum computers mature within the next decade.
The protection is not yet complete. Consensus still relies on classical Ed25519, and the VRF uses pre-quantum cryptography. But the protocol team has introduced Lattice-Based VRF (LB-VRF) for quantum-resistant randomness generation, and an experimental AVM opcode for Falcon verification is in development. The trajectory is toward full quantum resistance at the consensus level.
A Cambridge analysis of 879 blockchain repositories found that only 4 (0.5%) reference actual post-quantum algorithms with concrete implementations. Algorand is one of two chains doing real work on post-quantum cryptography. For an identity system designed to persist for decades, this is a survival criterion.
Additional Alignment
Algorand also provides did:algo, a W3C-standard decentralized identifier already in production. AlgoPlonk is the ZK toolkit for on-chain zero-knowledge applications. Atomic transfers enable bundled attestation operations, so mutual attestations and multi-step agent workflows can be made atomic. Fees are predictable at approximately 0.001 ALGO per transaction, which prevents economic barriers that would skew graph density toward wealthy participants. There are already production identity deployments on Algorand, including the SEWA Digital Health Passport and Mann Deshi credit scoring system in India. The protocol was founded by Silvio Micali, co-inventor of zero-knowledge proofs.
How trust compounds
Recursive Attestor Weighting
The weight of an edge is not fixed. It is a function of the attestor's own graph density, which recurses through the attestor's attestors. This terminates naturally: density is bounded, and distant node contribution diminishes with each hop. No committee sets weights. No governance proposal ranks institutions. A newly formed organization starts with minimal weight. As it accumulates diverse, high-density edges over time, its weight grows. If it loses relationships, its weight decays. The system self-corrects.
Forgery Resistance Score
The forgery resistance score estimates the cost of synthetically reproducing a graph from scratch. It accounts for attestor diversity, depth, temporal span, and cross-source correlation. An identity with 50 attestations from a single category created within a week has a low score. An identity spanning 15 years, across 6 categories, from unrelated attestors in different jurisdictions, has a forgery cost approaching the cost of actually being that person. Time is the variable that attackers cannot compress.
Ingestion Protocol
On DID creation, the ingestion protocol absorbs pre-existing edges, each verified by its source and timestamped to its original date. A person with 20 years of banking history enters carrying 20 years of evidence on day one. This solves the cold-start problem: new users are not penalized for joining late.
Agent Delegation Protocol
A root DID signs a Verifiable Credential to an agent DID specifying scope, expiry, and revocation conditions. The agent proves its delegation chain on-chain in a single lookup. Counterparties verify the principal's graph density without learning the principal's identity. Agent edges flow back to the root, creating a feedback loop where delegation activity strengthens the principal's graph. Revocation is instant and globally visible. Misbehaving agents damage the principal's graph density, creating a direct economic incentive for humans to govern their agents responsibly.
Unsolved problems, stated honestly
These are design constraints that must be resolved before Nagori moves from specification to production.
If L0 requires purpose-built capture hardware, the manufacturer becomes a trust anchor. The system's long-term viability depends on defining a trigger condition: at what graph density threshold can L0 be relaxed or replaced by graph density alone?
Losing the private key orphans the entire identity graph. The graph could serve as a recovery signal (N attestors vouch for a key rotation), but this creates a social engineering attack surface. Threshold and attestor requirements need careful calibration.
Institutions that join early accumulate heavy edges through longevity alone. Decay functions help, but the decay rate is loaded: too aggressive and legitimate relationships lose signal; too gentle and early movers entrench permanently.
The populations most excluded from identity systems are also those most likely to use low-end mobile hardware. If ZK proofs require expensive devices, the system reproduces the exclusion it claims to solve.
If the mortality pattern fires incorrectly (coma, witness protection, off-grid absence), reversal requires a challenge mechanism. But if dead identities can be reactivated, they can also be hijacked. The challenge process must exceed the detection threshold.
When a delegated agent misbehaves, the principal's graph absorbs damage. But how much? If a rogue agent can crater a decade of accumulated trust, delegation becomes too risky for high-density identities. If damage is too contained, accountability becomes meaningless. The liability propagation function needs formal specification.
From specification to prototype
Whitepaper v0.3 (Draft, March 2026). This revision reframes Nagori around the agentic commerce thesis, expands the Algorand rationale with throughput data and post-quantum cryptography analysis, incorporates the L0 device attestation paths, and elevates L6 agent delegation as the primary bridge to the machine economy.
Formal definition of recursive attestor weighting, decay rates, category diversity metrics, and forgery resistance scoring.
Specification of delegation credentials, scope encoding, revocation mechanics, and liability propagation functions.
AlgoPlonk circuit architecture for threshold, category, and delegation proofs. Benchmarked on low-end mobile hardware.
Cooperation protocols with attestation sources. Incentive structures for institutional participation.
Select between Secure Enclave bypass, device attestation, or degraded L0 with upgrade path. Benchmark sybil resistance under each approach.
One human identity, one delegated agent, one cross-boundary transaction with accountability proof. The skateboard.