[Proposal setup] Proposal title
Please provide your proposal title
Cardano Verifiable Media Dev Kit (C2PA + Anchors)
[Proposal Summary] Budget Information
Enter the amount of funding you are requesting in ADA
50000
[Proposal Summary] Time
Please specify how many months you expect your project to last
6
[Proposal Summary] Translation Information
Please indicate if your proposal has been auto-translated
No
Original Language
en
[Proposal Summary] Problem Statement
What is the problem you want to solve?
When media is shared, metadata/signatures are stripped. Cardano devs lack an open, standard-compatible way to bind authenticity inside files and verify it publicly without vendor lock-in.
[Proposal Summary] Supporting Documentation
Supporting links
[Proposal Summary] Project Dependencies
Does your project have any dependencies on other organizations, technical or otherwise?
No
Describe any dependencies or write 'No dependencies'
No dependencies
[Proposal Summary] Project Open Source
Will your project's outputs be fully open source?
Yes
License and Additional Information
Apache 2.0
License are subject to change, but we guarantee it to be open-source.
[Theme Selection] Theme
Please choose the most relevant theme and tag related to the outcomes of your proposal
Security
[Campaign Category] Category Questions
Mention your open source license and describe your open source license rationale.
Apache-2.0
OSI-approved, permissive, explicit patent grant, and enterprise-friendly. Maximizes reuse in wallets, dApps, SDKs, and research. Avoids copyleft friction, encourages external contributions, and fits developer tooling.
How do you make sure your source code is accessible to the public from project start, and people are informed?
- Day-1 public GitHub org with LICENSE, CONTRIBUTING, CoC, CI, issue templates.
- “Day-1 OSS” post on Cardano Forum + X/Discord with repo links.
- Early tags/releases (v0.1-spec, v0.2-alpha) + npm/PyPI publishes.
- Public roadmap board; weekly changelog in docs.
How will you provide high quality documentation?
- Versioned docs (Docusaurus) + TypeDoc/Sphinx API refs; architecture & threat diagrams.
- Quickstarts (Next.js + FastAPI), CLI/microservice runbook, C2PA bridge how-tos.
- Reason codes reference (AUTHENTIC/TAMPERED/REVOKED/UNKNOWN).
- Doc lint + broken-link CI; tutorials and forum posts per milestone.
[Your Project and Solution] Solution
Please describe your proposed solution and how it addresses the problem
Outputs (all Apache-2.0 in 6 months)
- SDKs (TypeScript & Python)
- Embed(mode=fragile|robust): writes an invisible watermark carrying a compact payload.
- Verify(offline=true): extracts payload, recomputes SHA-256 of exact file bytes, verifies Merkle proof + CIP-8 issuer signature; optional DID read; returns verdict + reason-codes and metrics.
- Anchor(digest): submits SHA-256 + signature to anchoring service; returns txId, root, proof.
- Anchoring microservice (REST)
- Hash-only anchoring; Merkle-batched for low fees; proof retrieval API; testnet → mainnet configs; self-hostable container with IaC snippets.
- CLI (Linux/macOS/Windows)
- VM-embed, VM-anchor, VM-verify with JSON outputs for CI/CD.
- Minimal web verifier
- Drag-and-drop demo + embeddable widget (<100 KB).
- C2PA bridge (v1)
- JUMBF import/export + soft-binding recovery when metadata is stripped.
- Robustness suite & open dataset (v1)
- Automated attack harness + dataset; metrics: BER/PSNR/SSIM with thresholds & failure modes.
- Academic paper
- Peer-review submission by Month 6; public preprint and artifact repo.
Architecture (A: in-file, B: on-chain)
A) In-file binding (dual watermark)
- Fragile (DCT-QIM): mid-freq luminance on 8×8 blocks; adaptive quantization; flips to TAMPERED with any byte change.
- Robust (DWT→DCT + SVD): strength masked by local energy; optional sync marks; survives JPEG q≥75, resize 0.5–2×, crop ≤10%, mild noise/blur/color shifts.
B) On-chain auditability
- Compute SHA-256 on the final file; sign with issuer key (CIP-8, Ed25519).
- Batch digests into a Merkle tree; anchor root on Cardano txn metadata or reference UTxO.
- Verifier checks Merkle proof on chain, validates CIP-8 signature, resolves DID rotation (optional), and reads revocation/status (optional CIP-68 profile).
Why this solves the problem: authenticity travels with the pixels (survives sharing), and verification is public & offline-capable (no vendor dependency).
Payload & privacy
- Fields (pre-encryption): doc_id, hash_trunc, ts, key_id, flags, rev_ptr, mode.
- Encoding: CBOR → optional AEAD (X25519 + ChaCha20-Poly1305) → ECC (BCH/Reed-Solomon) → interleaving → bitstream (~256–768 bits).
- Public vs private: even if encrypted, verifiers still return AUTHENTIC/TAMPERED/REVOKED/UNKNOWN without exposing PII.
Verification pipeline (SDK/CLI/web)
- Extract watermark → ECC decode → decrypt if needed → parse payload.
- Rehash exact file → compare with payload and on-chain digest.
- Resolve Merkle proof → validate root & Cardano txn; verify CIP-8 signature.
- Resolve DID/key rotation & optional CIP-68 status.
- Return verdict and reason-codes (examples: proof_valid, sig_valid, hash_match, extraction_fail, ecc_fail, revoked).
Anchoring microservice (REST)
Endpoints
- POST /digest: submit {sha256, signature, issuer_pubkey, meta?} → {id, batchId}
- GET /proof/:sha256: returns {merkle_path[], root, txId, slot}
- GET /status/:id: returns {revoked:boolean, since?:slot} (optional via CIP-68 profile)
Batching
- Time/size-based (e.g., every 5–10 min or N items); writes Merkle root to Cardano; proofs stored off-chain (server/IPFS).
- Keys & hosting
- Issuer signing via CIP-8 (Ed25519); optional DID for rotation; self-hostable container; TLS by default; KMS/HSM supported.
- Cost
- Hash-only + batching keeps per-file cost tiny; fees tracked per release.
C2PA bridge (standards-first)
- JUMBF import/export to interop with Content Credentials tools.
- Soft-binding recovery: watermark carries a locator/ID to restore manifests when stripped.
- Cardano mapping: manifests may include the Cardano root/tx reference.
- Interop tests: round-trips with common CC tools; public test vectors.
Scope, limits, targets (6-month V1)
- Formats V1: PNG, JPEG, raster-path PDFs.
- Out of scope: vector-only PDFs, video, audio (documented as V2 candidates).
- Targets V1:
- Robust BER ≤ 4% under JPEG q=75, resize 0.5–2×, crop ≤10%.
- Fragile tamper detection ≥ 99%.
- Verification latency median ≤ 2 s local / ≤ 4 s remote.
- Anchoring (batched) ≤ ₳0.003 per file.
Example developer flow (no internal code blocks)
- Embed then anchor: run vm-embed on a PNG/JPEG/PDF (robust or fragile). Compute SHA-256 of the watermarked output. Use vm-anchor with issuer key and anchoring service URL to record a Merkle-batched anchor on Cardano.
- Verify offline-first: run vm-verify on the received file; it extracts and checks watermark payload, recomputes digest, verifies Merkle proof + signature, and returns a verdict with reason-codes.
- Integrate in apps: import the SDK in a Node/Python project; call embed/verify/anchor; in a web app, add the minimal verifier widget for drag-and-drop checks.
[Your Project and Solution] Impact
Please define the positive impact your project will have on the wider Cardano community
Immediate DX
- Drop-in SDKs, CLI, microservice, and web verifier; integrate in hours.
- C2PA compatibility positions Cardano as a credible provenance anchor in mainstream workflows.
- Open dataset + attack harness invites audits, research, language ports (Go/Rust/Java).
- Shared reason-codes unify UX across verifiers.
Community & collaboration
- Day-1 public repos; contribution guide; good-first-issues; public roadmap; tutorials and forum posts per milestone.
- Two bounty-backed demos to seed third-party integrations.
- Academic paper + preprint and artifact repo raise credibility and reuse.
KPIs (6-month MAX plan)
- ≥150 SDK downloads/sign-ups; ≥8 community PRs; ≥2 third-party demos (bounties).
- Robust BER ≤ 4%; fragile tamper detection ≥ 99%.
- Verification latency median ≤ 2 s local / ≤ 4 s remote.
- Anchoring cost (batched) ≤ ₳0.003 per file.
- One peer-reviewed submission + public preprint & artifact repo by Month 6.
[Your Project and Solution] Capabilities & Feasibility
What is your capability to deliver your project with high levels of trust and accountability? How do you intend to validate if your approach is feasible?
Capabilities & Feasibility
Why Sumbu Labs is suited to deliver
Deep fit with the problem & stack
Our team combines applied cryptography (watermarking, hashing, signatures), Cardano backend engineering (CIP-8, Merkle batching, UTxO patterns), and developer tooling (SDKs, CLIs, REST services). This proposal is squarely about open dev tooling, which is our primary focus.
Standards mindset
We design for interoperability first (C2PA/JUMBF, OpenAPI 3.1), ensuring Cardano fits cleanly into existing provenance workflows rather than inventing a silo. This reduces risk and boosts adoption.
Open-source by default
Everything ships under Apache-2.0 from day 1. Public repos, public roadmap, public CI, and publicly reproducible results provide accountability and enable collaboration.
How we’ll build & validate (execution plan)
Tight scope, short timeline (6 months)
Focus on the core dev kit—SDKs (TS/Py), CLI, anchoring microservice, minimal web verifier, C2PA bridge v1, and a v1 robustness suite & dataset. No IDE plug-ins or video/vector-PDF scope creep.
Milestone-driven delivery (SoM/PoA-ready)
M1 (Month 2): Day-1 OSS repos, Scalar docs live, architecture & threat model, API contracts, C2PA soft-binding plan.
M2 (Month 4): SDKs + anchoring service + CLI (alpha), testnet anchors, example apps, regeneration baseline tests.
M3 (Month 6): Robustness v1 + dataset, mainnet config, web verifier, doc polish, light security review, paper submission + preprint + artifact repo.
Engineering process (what happens between milestones)
Design control: RFC issues + ADRs (architecture decision records) for major choices (payload fields, ECC params, Merkle layout).
Implementation: small, testable modules; typed SDKs; semantic versioning.
CI/CD: unit tests (target ≥80% coverage on core libs), integration tests against preprod; reproducible attack scripts in CI; build pipelines publish SBOMs and signed artifacts (cosign).
Docs-as-contract: OpenAPI 3.1 for the service, rendered via Scalar with try-it console; Spectral lint enforces spec hygiene. Guides and examples are versioned alongside code.
Quality gates: code review mandatory, status checks required, doc & link linting must pass, performance & robustness thresholds checked before promoting releases.
Security practices: principle of least privilege, TLS everywhere, optional KMS/HSM for issuer keys, dependency scanning, and a light third-party review (Month 5) of the anchoring service and verification logic.
Verification/validation (how we prove it works)
Robustness suite v1: JPEG/resize/crop/noise/blur/color, geometric desync baseline, screenshot/print-scan baseline, and regeneration baseline; publish BER/PSNR/SSIM with failure modes.
Deterministic artifacts: datasets, parameters, and scripts to reproduce results; public preprint & artifact repo with the academic submission.
Operational tests: testnet and mainnet anchors with public references; example integrations (Next.js, FastAPI) that anyone can run.
Community & transparency (how we stay accountable)
Public development from day 1: GitHub org with LICENSE, SECURITY policy, CONTRIBUTING, code of conduct, issue templates, and branch protections.
Discoverability & comms: “Day-1 OSS” post on the Cardano Forum; monthly devlogs; weekly changelog; labeled issues for contributors; roadmap/milestones visible.
Reason-codes & UX clarity: standardized verdict reasons (e.g., proof_valid, sig_invalid, hash_mismatch) so downstream wallets/dApps present consistent, auditable results.
Fund management & financial controls (how we manage ADA responsibly)
Milestone-based disbursement
Funding aligned to SoM/PoA (M1 25% / M2 45% / M3 30%). We request the next tranche only after the prior milestone’s Proof of Achievement is published (repos, tags, docs, demos, datasets, and tx refs).
Segregated treasury & multi-sig
Dedicated project treasury wallet (published address) holds Catalyst funds.
2-of-3 multi-sig policy for outbound transfers (Lead, Ops, Finance/Advisor).
A small ops hot wallet holds a limited float for routine expenses; periodic top-ups from the treasury require multi-sig.
Budget tracking & approvals
Budget vs. actual tracked monthly against the aggregated categories approved in the proposal.
Two-step approvals for expenses: (1) scope/quote sign-off by project lead, (2) release by finance signer.
Vendor selection (when applicable) follows a lightweight two-quote rule for non-trivial costs.
Accounting & reporting
Maintain a project ledger (transactions annotated with milestone, purpose, and invoice/PO links).
Publish a brief financial snapshot at each milestone alongside PoA: spend-to-date by category, remaining balance, and contingency status.
Store artifacts (invoices, receipts) in a shared drive with immutable links referenced in the ledger.
Risk management & continuity
Contingency preserved (as budgeted) for unexpected costs.
Role backup and maintainer rotation reduce bus factor; handover docs kept current.
If a dependency slips (e.g., provider API), we have self-host options for critical paths (Cardano node, IPFS).
Compliance & ethics
All outputs licensed Apache-2.0; no closed-source components.
Supply-chain hygiene: SBOMs, pinned versions, signed container images; no inclusion of non-redistributable assets in public repos.
Why this plan is feasible within 6 months
Focused scope on developer-usable artifacts (SDKs/CLI/service/verifier) and a clear test plan (robustness v1), avoiding long-tail features (IDE plug-ins, vector-PDF, video).
Modular architecture and standards-first contracts (OpenAPI for service; C2PA bridge) de-risk integration and allow parallel workstreams (SDKs, service, robustness).
Public, measurable outputs (code, docs, datasets, mainnet/testnet tx refs, preprint, artifact repo) ensure objective acceptance and easy community verification.
[Milestones] Project Milestones
Milestone Title
Day-1 Open Source Repos, Spec & Docs Online
Milestone Outputs
- Public GitHub org with repo scaffolds (Apache-2.0 LICENSE, NOTICE, SECURITY, CONTRIBUTING, CoC, issue/PR templates, branch protections)
- Scalar docs portal online; initial architecture & threat model published
- Anchoring service OpenAPI 3.1 draft (endpoints, schemas, examples)
- C2PA/JUMBF soft-binding plan and API contracts for SDKs/service
- Initial SDK stubs (TS/Py) with project structure and basic types
- Public roadmap board; weekly changelog started
Acceptance Criteria
- Repos are public and pass CI (lint/tests placeholders) with branch protections enabled
- Scalar site renders OpenAPI spec; Spectral lint passes with no critical errors
- Tag v0.1-spec created; docs include reason-codes catalog and runbook outline
Evidence of Completion
- Repo URLs + tag link; Scalar docs URL; OpenAPI file path/commit hash
- Screenshot or hash of roadmap board and CI status badges
Delivery Month
2
Cost
12500
Progress
30 %
Milestone Title
SDKs (TS/Py), Anchoring Service (Testnet), CLI (Alpha)
Milestone Outputs
- TypeScript SDK: embed() (fragile/robust), verify() (offline-first), anchor()
- Python SDK: near-parity features with TS (embed/verify/anchor)
- Anchoring microservice (REST): hash-only, Merkle batching, proof retrieval; deployed to preprod/testnet
- CLI tools: vm-embed, vm-anchor, vm-verify with JSON output
- C2PA bridge v1: JUMBF import/export + minimal soft-binding recovery path
- Example integrations: Next.js (web) + FastAPI (backend)
- Regeneration baseline tests integrated into robustness harness
- Published npm/PyPI alpha packages; container image for service
Acceptance Criteria
- End-to-end demo: embed → anchor (testnet) → verify (proof+sig valid) succeeds on sample PNG/JPEG/PDF-raster files
- Unit test coverage ≥80% for core SDK libs; integration tests pass against testnet
- CLI returns machine-readable JSON and human summary; service OpenAPI passes Spectral; Scalar “Try-It” works
- C2PA round-trip: export/import JUMBF and recover manifest via soft-binding demo
Evidence of Completion
- Testnet transaction IDs and Merkle root/proofs published in docs
- Demo video link; npm/PyPI/package tags; container image tag; CI coverage report
- Example app repositories and run instructions
Delivery Month
4
Cost
22500
Progress
70 %
Milestone Title
Robustness Suite & Dataset (v1), Mainnet Config, Web Verifier, Paper Submission
Milestone Outputs
- Robustness harness v1 with attacks: JPEG q=50–95, resize 0.5–2×, crop ≤10%, blur/noise/color, geometric desync baseline, screenshot/print-scan baseline, regeneration baseline
- Open dataset and metrics report (BER/PSNR/SSIM) with thresholds & failure-mode notes
- Mainnet configuration for service and verifier; reproducible anchors
- Minimal web verifier (drag-and-drop) + embeddable widget
- Docs polish (Scalar): versioned API, runbooks, troubleshooting by reason-codes
- Security review (light) of service + verification logic and remediations
- Academic paper submitted; public preprint + artifact repo
- Two external demo bounties awarded and merged
Acceptance Criteria
- Meets targets: Robust BER ≤4% (JPEG q=75, resize 0.5–2×, crop ≤10%); Fragile tamper detection ≥99%
- Verification median ≤2s local / ≤4s remote on sample set
- Mainnet tx references and proof verification documented; web verifier works cross-browser
- Security review summary published with addressed items
- Paper submission receipt; preprint and artifact repo public
- Two third-party demos integrated and documented
Evidence of Completion
- Dataset + scripts repo links; metrics report; mainnet tx IDs & proofs
- Web verifier URL; security review summary; preprint DOI/URL; artifact repo URL
- Links to merged demo PRs and bounty payout tx hashes
Delivery Month
6
Cost
15000
Progress
100 %
[Final Pitch] Budget & Costs
Please provide a cost breakdown of the proposed work and resources
- Core Engineering (SDKs, Service, CLI) - 32,500 ADA
- TypeScript & Python SDKs: embed/extract/verify, offline hash+proof checks
- Anchoring microservice (REST): CIP-8 signing, Merkle batching, testnet→mainnet configs, proofs API
- CLI tooling (vm-embed / vm-anchor / vm-verify), packaging, CI setup
- Watermarking R&D: fragile (DCT-QIM) + robust (DWT→DCT) algorithm implementation & tuning
- Verification UX & Examples - 7,500 ADA
- Minimal web verifier (drag-and-drop widget)
- Example integrations (Next.js + FastAPI), copy-paste snippets
- Standards & Interoperability (C2PA) - 5,000 ADA
- JUMBF import/export; soft-binding recovery path
- Interop test vectors and round-trip validation with common tools
- QA, Security & Test Infrastructure - 4,000 ADA
- Unit/integration tests, robustness harness v1 in CI
- Light third-party security review of service + verification logic
- Documentation, PM & DevRel - 6,000 ADA
- Scalar docs portal (OpenAPI 3.1 + guides), tutorials, forum posts
- Project management, PoA packaging, community support
- Community Incentives & Publication & Fees - 6,500 ADA
- Two demo bounties (2 × 2,000 ADA) to seed external integrations
- Academic paper prep & submission fees (preprint + artifact repo)
- On-chain anchoring fees & dataset labeling
- Cloud/Infra - 1,000 ADA
- Hosting, storage, CI runners, artifact registries
Funding by milestone (SoM/PoA):
- M1: 25% - Day-1 OSS repos & spec; Scalar docs online
- M2: 45% - SDKs + service + CLI (alpha), testnet anchors, examples
- M3: 30% - Robustness v1 + mainnet config + web verifier + paper submission/preprint
(Totals = 50,000 ADA. No proprietary components; all artifacts Apache-2.0 and public from day one.)
[Final Pitch] Value for Money
How does the cost of the project represent value for the Cardano ecosystem?
- Concentrated scope, high leverage
- In 6 months you get SDKs, CLI, anchoring service, web verifier, C2PA bridge, robustness suite & dataset, and a peer-reviewed paper — all Apache-2.0.
- Cardano-first, not generic
- Uses CIP-8 signing, Merkle batching, optional CIP-68; immediately useful in the Cardano stack.
- Cost discipline
- Hash-only anchors, batching, focused format scope, no IDE plugin, targeted security review.
- Ecosystem multiplier
- Lowers time-to-integrate for dApps/wallets/registries; aligns Cardano with Content Credentials; publication + artifacts improve trust, citations, and long-term reuse.
[Required Acknowledgements] Consent & Confirmation
Terms and Conditions:
Yes