And here is a link to a recent Ahto Buldas' paper which at first glance may be what you are describing ...
Keyless Signatures Infrastructure: How to Build Global Distributed Hash-TreesCould you elaborate on the non-shared portion of the KSI hash tree? This appears to be the key to irreversibility. If an adversary had more than 50% of the nodes in his control, then he could out vote the legitimate nodes - right?
I think in this scheme, the issue is that the 51% adversary could rig the elections of superpeers. It's no longer about protecting the historical blockchain from rewriting. Buldas essentially encodes time into the blockchain in a way that he says is provably resistant to backdating *and* independently verifiable by third parties that do not have access to the full ledger. For the application he had in mind (signing every syslog entry of every Linux machine in the world) it would have been impractical to distribute every single transaction around. Here is the summary in the paper you linked to:
Underlying data structures guarantee that it is not possible to issue fake, backdated or otherwise mis- leading signature tokenseven where rogue client and rogue service provider collaborate. Committing into globally unique and public Hash Calendar makes tampering with the system, especially with the clock value, highly visible to all users. The system security does not depend on the long-term secrecy of the private keys as it is not possible to prove that the keys were not actually leaked. Underlying cryptographic primitives may be easily changed, e.g. in case of apparent weakening of the algorithms. There may be occassions when the infrastructure must be stoppedif the system integrity or clock accuracy is in doubt. The signature token itself is independently verifiable by third parties using only public information and algorithms; verification must be possible even after the service provider ceases the operations.
In order to provide highly available service single points of failure are eliminated. The requirements on system reliability are different: a globally unique core cluster must be operated by the best trust authority practices, but the service delivery network may use commodity virtual servers without much requirements on operating environment, like a reliable wall clock or persistent storage. Privacy and confidentiality risks are minimal, because the infrastructure handles only aggregate hashes.
I'm rejecting Buldas' statement in bold, which I believe to be motivated by his commercial ambitions, and substituting your nomadic mint.
I believe that I can publicly publish the blockchain hash as well as the KSI top hash when each new block is created as a trust anchor. For example it would be easy to automatically publish those in a dedicated forum such as Yahoo or Google groups in append-only style where the account is administered by TexaiCoin core developers. Likewise the system could append hash value entries to an otherwise readonly Google Docs spreadsheet. Then an adversary would have to hack each of these public records to maintain integrity with his forged blockchain.
It may not have been clear that I was rejecting a central newspaper authority like Buldas designed and Satoshi rejected, and glomming onto your nomadic mint to publish the public top-level hash automatically. Term limits!
*********
Re: Bitcoin Core, I think where this could lead is partitioning the cryptocoin hash space amongst superpeer-led mining pools, and federating/mixing their respective blockchains up the hierarchy. That would encourage people to start mining pools instead of scamcoins and scamexchanges.