ESP32-S3 eFuse gates anchored to Arbitrum Stylus. Four cryptographic proofs from silicon to chain — unforgeable hardware identity for the decentralized stack.
Core Primitive
Every device identity passes through four sequential cryptographic verification stages. All must succeed. One failure collapses the chain.
Extracts manufacturer-burned identifiers from ESP32-S3 silicon — Base MAC address plus Chip Model ID. These values are physically immutable, fused into the die at factory. No firmware can alter them.
SILICON LAYERGenerates a 32-byte Hardware Identity (HW_ID) via on-device Keccak-256 using Ethereum-compatible 0x01 padding. Deterministic and reproducible — same silicon always produces the same digest.
CRYPTO LAYERStylus Rust contract reconstructs receipt digests, enforces monotonic counter replay protection, and validates approved firmware hash gating. Execution is restricted to whitelisted firmware versions.
VERIFICATION LAYERVerified identity anchored to Arbitrum Sepolia via Stylus WASM execution. One physical device maps to one on-chain identity. The contract address is public, immutable, and verifiable by anyone.
ARBITRUM STYLUSThe Problem
"Every DePIN node claims to be real hardware.
Most are software lying."
Decentralized physical infrastructure networks (DePIN) require proof that nodes are genuine hardware — not software simulations, VMs, or spoofed identities. Without silicon-level verification, any DePIN network can be gamed by attackers running software impersonations of physical nodes. SHA solves this at the identity root.
By binding immutable ESP32-S3 eFuse values — written once in the factory, physically unalterable — to Arbitrum Stylus smart contracts via Keccak-256 cryptographic proofs, SHA creates unforgeable device identity. The chain of trust runs from silicon atoms to on-chain bytes. No software layer can forge it.
System Design
Three-layer stack. Silicon feeds cryptographic identity upward through verification to permanent on-chain state.
On-Chain Evidence
Reproducible benchmark results from Arbitrum Sepolia. Network: chain-id 421614. Contract verified and activated on-chain.
| Operation | Gas Used | Gas / Receipt | Status |
|---|---|---|---|
verifyReceiptsBatch N=5 |
148,741 | 29,748 | PASS |
verifyReceiptsBatch N=10 |
202,090 | 20,209 | PASS |
verifyReceiptsBatch N=20 |
308,387 | 15,419 | PASS |
verifyReceiptsBatch N=50 |
628,201 | 12,564 | PASS |
verifyReceipt (single, success) |
118,935 | 118,935 | PASS |
verifyReceipt (invalid digest) |
98,631 | 98,631 | REVERT (expected) |
authorizeNode |
99,288 | — | PASS |
approveFirmware |
99,285 | — | PASS |
Interpretation: Stylus WASM batch execution shows strong amortization — gas per receipt drops sharply from 29.7k at N=5 to 12.6k at N=50, demonstrating the advantage of running native-compiled logic in WASM versus per-transaction Solidity dispatch. Batch verification is recommended for DePIN networks verifying many devices per transaction. Deploy TX: 0x1a9eaa…489 ↗
Arbitrum Foundation
SHA is funded by the Arbitrum Stylus Sprint — a $25,000 USD grant awarded for Phase 1 development over 6 months on Arbitrum Sepolia (testnet only). The grant covers internal security hardening, reproducible validation artifacts, and developer SDK delivery. No mainnet deployment is included in Phase 1 scope.
anchor-verifier) to PyPI. Rust crate (stylus-hardware-primitives) to crates.io. Three reference integration templates deployable on Sepolia. Minimal developer dashboard with gas analytics.Future Extension
Branch feat/zkp-vlayer-integration adds a fourth security layer: ZK execution correctness. Additive to SHA v1 — preserves all existing guarantees.
SHA x vlayer adds cryptographic execution correctness to hardware identity verification. This creates a 4-layer security model. Phase 1 architecture and interface design are complete. The vlayer Noir circuit and Stylus verifier are Phase 2.
SHA is fully open-source and reproducible. Contract deployed, activated, and benchmarked on Arbitrum Sepolia. Clone the repo, run the test vectors, verify the deployment yourself.