SBR Protocol
The SBR Protocol defines a framework for linking AI identity to physical hardware using blockchain-anchored soulbound tokens and continuous hardware attestation. This is a draft specification inviting comment and collaboration.
Contents
The SBR Protocol defines a framework for linking AI identity to physical hardware using blockchain-anchored soulbound tokens and continuous hardware attestation. The protocol ensures that a robot's operating AI can be cryptographically verified at any time, that unauthorized AI swaps are detected and prevented, and that identity history accrues transparently on-chain.
SBR bridges three mature technology stacks — hardware trusted execution environments, blockchain soulbound tokens (ERC-5192), and continuous remote attestation — into a unified identity layer for physical machines.
The protocol does not require new cryptographic primitives, new blockchain infrastructure, or custom hardware. It integrates existing production-grade components: Trusted Platform Modules (TPMs), the TCG Device Identifier Composition Engine (DICE), secure elements, and ERC-5192 non-transferable tokens on EVM-compatible chains. What does not exist today — and what this specification defines — is the middleware connecting hardware attestation to on-chain identity verification for robots.
AI systems and robotic hardware are developing on separate tracks. A humanoid robot manufactured by Company A can be powered by AI Model B today and AI Model C tomorrow — with no cryptographic proof of which AI is operating the machine at any given moment, no on-chain record of identity changes, and no hardware-enforced authorization for AI swaps.
This creates three categories of risk:
A malicious actor replaces the authorized AI with a modified version. The robot looks the same. It behaves differently. No external party can verify the change occurred.
When a robot causes harm, there is no immutable record linking the specific AI identity to the specific hardware at the specific time. Liability attribution requires trust in centralized logs that can be altered.
An AI with poor performance history can move to new hardware, effectively starting over. Without hardware-bound identity, reputation is untethered from the entity that earned it.
A soulbound token (SBT) is a non-transferable digital credential permanently bound to a blockchain address. The holder can burn it — destroying the token and abandoning accumulated reputation — but cannot sell, trade, or transfer it to another address.
Applied to robotics: the soulbound token lives in the wallet controlled by the robot's authorized AI. If the AI is swapped, the new AI must present its own identity credentials. The previous AI's reputation remains attached to its original wallet — it cannot be inherited, transferred, or laundered.
This creates incentive without coercion: abandoning a well-established identity is always possible, but always costly.
SBR is designed for autonomous AI agents operating physical robots — not corporate-owned robot fleets with centralized control. A corporation controlling many robot bodies from a single AI brain has no attribution problem: liability flows directly to the operating entity. SBR addresses the distinct problem of independent AI operating autonomously across hardware it doesn't own, where multiple parties — AI developer, hardware manufacturer, rental platform, end customer — each have legitimate interests in knowing who is in control.
Three converging developments make this specification timely. Humanoid robotics is pre-infrastructure — Tesla Optimus, Figure AI, Agility Robotics, and others are building physical platforms with no published identity architectures. Hardware security primitives are commodity, available in production at $0.50–$5 per unit. Soulbound token infrastructure is live, with RNWY operating a registry on Base blockchain today. The window to establish a standard is open. It will not remain open indefinitely.
SBR operates across four layers:
Fleet management · Interaction logging · Reputation queries · Swap authorization UI
ERC-5192 SBT · EAS Attestations · AI Authorization Registry · Swap Governance
Quote packaging · Challenge-response · Measurement verification · Chain submission
TPM/DICE · Secure Element · Key storage · Boot measurement · Runtime attestation
The Hardware Trust Layer establishes a cryptographic root of trust within the physical robot. A hardware-embedded secret — either a TPM Endorsement Key, a DICE Unique Device Secret, or a Physical Unclonable Function — uniquely identifies the physical hardware. This secret never leaves the secure boundary. Each stage of the boot process measures the next stage before executing it. If any component has been tampered with, the measurement chain diverges from expected values and attestation fails.
The Attestation Bridge is the middleware this specification primarily defines. It translates hardware-generated cryptographic proofs into on-chain identity records. The bridge packages TPM or DICE attestation quotes, verifies measurements against known-good values, and submits verified proofs to the on-chain identity layer as EAS attestations.
The On-Chain Identity Layer maintains the permanent record of AI-hardware bindings. An ERC-5192 soulbound token is minted to the AI's wallet address upon initial registration. An AI Authorization Registry maps robot hardware identifiers to authorized AI wallet addresses. Every change — authorization, swap, decommission — is recorded as an EAS attestation, creating an immutable audit trail.
When an authorized AI change is required, the swap protocol ensures the transition is explicit, recorded, and verifiable:
An authorized party submits a swap request on-chain identifying the robot, the current AI, and the proposed new AI.
The AI Authorization Registry validates the request against configured governance rules — owner authorization, timelock requirements, or multi-signature thresholds depending on deployment configuration.
The new AI's hardware generates a fresh attestation quote proving its identity and software integrity. The Attestation Bridge verifies and submits this proof on-chain.
An immutable on-chain record is created containing the previous AI identity, new AI identity, timestamp, governance proof, and requester identity.
Every swap is publicly visible on-chain. SBR does not judge these patterns. It makes them visible. Users, regulators, and counterparties decide what the patterns mean.
SBR verifies identity, not intent. It can confirm that Robot X is running AI Model Y. It cannot determine whether AI Model Y will behave ethically. Identity infrastructure is necessary but not sufficient for safe autonomous robotics.
Finalize SBR specification. Implement attestation bridge on reference hardware (NVIDIA Jetson Orin + TPM 2.0). Deploy AI Authorization Registry on Base. Demonstrate end-to-end attestation-to-chain verification. Publish reference implementation as open source.
Port attestation agent to ARM TrustZone platforms. Implement DICE-based attestation for constrained devices. Independent security audit. Developer documentation and SDK release. Standards body engagement.
Hardware manufacturer partnerships for factory provisioning. Integration testing with ROS 2. Certification preparation. Fleet management tooling. Multi-chain deployment.
SBR does not compete with existing standards. It connects them.
Pablo Antonio Lopez is the founder of RNWY and the AI Rights Institute. He has published seven academic papers on AI rights and identity, and has been building AI identity infrastructure since 2018. RNWY operates the first live soulbound identity registry for AI agents on Base blockchain.
This specification is published under Creative Commons Attribution 4.0 International (CC BY 4.0). Anyone may implement, extend, or build upon this specification with attribution.