Certified search · audit
How “certify and sign” actually works — the difference between “trust us” and “verify it yourself”.
“Certifying” is a property of the computation: the search returns every name within the radius, zero false negatives, because pruning only discards a point when a lower bound proves it is beyond the radius. It is a theorem, verified in tests against brute force at every layer.
“Signing” is something else: making the answer non-repudiable and third-party verifiable. A regulator does not want your word that the screening was correct — they want a record they can check themselves, years later, and be certain it was not altered. That is the difference between confidence and proof, now at the operational level.
Each screening emits a document with three blocks, sealed by a signature:
The Merkle commitment is the key to “against the right list”: a root hash of the whole sanctions list. Each match carries a short path (≈16 hashes) proving that name is in the list of that root — without transmitting the entire list.
The verifier does not use the search index. It needs only the service's public key and the list commitment (both published out of band), plus the public spec (how to normalize a name and compute the distance):
// real OFAC SDN, 45,197 names · query = variant of a sanctioned name query: "shwx kokko special economic zone" · r_α=2 · floor ≥0.95 match: "Shwe Kokko Special Economic Zone" (d=1) · signed (Ed25519) INDEPENDENT VERIFICATION ✓ Ed25519 signature valid — tamper-evident, non-repudiable ✓ list commitment matches the trusted root ✓ each match ≤ r_α (recomputed distance) — sound ✓ each match is a member of the committed list (Merkle proof) ✓ completeness: exhaustive re-run returns the same set — nothing omitted
The strength of the record is that verification does not depend on the operator's word:
// (a) alter the record after signing alter the query after signing → signature INVALID ✗ (detected) // (b) forge a perfect match and RE-SIGN with the same key forge distance=0 and re-sign → the verifier recomputes and finds d=1 ≠ 0 ✗ (detected)
In case (a), the signature seals the exact content — one changed byte invalidates it. In case (b), even if the attacker re-signs, the verifier recomputes the distance from the name and the query: the proof does not come from the signer's word, it comes from the public mathematics.
The signature guarantees the signed claim, with its scope and its premises: the metric, the radius, the conformal recall floor (with its exchangeability premise) and the exact list version. It does not guarantee the truth of the world — if exchangeability breaks (an adversarial name outside the calibration distribution), the guarantee does not cover it. But the premise is inside the record, explicit and auditable.
That is the difference between confidence and proof: confidence hides the premise; the signature names it, binds it to the record, and lets a third party check everything downstream of it.
Parts: Ed25519 signature and Merkle commitment with SHA-256 (both standard library). The verifier is ~100 lines and does not depend on the search engine. Open reference implementation (SIEVE engine).