Scalable, Bitcoin-Native Data Availability

A digital asset is two things at once. One is a record in a distributed ledger that cannot be altered, censored, or revoked. The other is the content that record refers to, an image, a file, a state snapshot, a contract payload. For most NFTs, that content lives on a server somewhere, which means it can be lost at any moment. This is a structural problem, not an implementation detail. Blockchain applications need availability guarantees for the data they reference. NFTs carry images. DeFi protocols depend on state snapshots and oracle data. Assets rely on metadata that defines what they are.

None of this can live on Bitcoin at any meaningful scale, and alternatives such as Filecoin, Sia and Chia were never intended to provide blockchain-level permanence—they optimize for bulk data at competitive pricing when compared with centralized cloud storage.

Arweave has goals closer to what the problem actually demands, and the design is closer to being adequate, but it is incomplete in ways its own documentation acknowledges. The Arweave Yellow Paper states outright that the Arweave team does not expect the network to "continue to produce blocks in true perpetuity," and frames the eventual subsumption of its data into some unspecified future storage system as the design's intended trajectory. Separately, Arweave has no slashing mechanism: nodes face no direct penalty for failing to store the specific data they have committed to. And because Arweave is a separate blockchain, Bitcoin users wanting to use it must acquire an additional cryptocurrency through off-chain channels with incompatible tooling.

IPFS is often treated as a solution but is not one. It provides no availability guarantees whatsoever. Without an integrated cryptocurrency, it has no mechanism for incentivizing nodes to host data. Files disappear when nodes decide to prune them. As a distribution format IPFS is useful. As a persistence layer it is a promise no one has been asked to keep.

The common failure across all three approaches is the absence of economic consequences for non-performance. A storage system that cannot punish nodes for failing to store is not a storage system. It is a request.

The verification problem is the conceptual centre of any honest design. Without verification, rational nodes would delete data immediately and collect rewards until caught. A protocol that pays for storage without measuring it is paying for nothing. The Kontor file persistence protocol treats verification as the foundation, and the mechanism follows from a single constraint: the expected cost of dishonesty must far exceed any possible savings from it.

Each Bitcoin block, the protocol uses the block hash as a randomness source to deterministically select files for auditing and nodes to challenge. The challenged node must prove cryptographically that it possesses specific, randomly chosen sectors of the file at that moment. The proof is compact, around ten kilobytes regardless of file size. It is verifiable by anyone. It cannot be forged. If the node produces a valid proof within approximately two weeks, it continues earning rewards. If it fails to do so, it is slashed and removed from the agreement.

The detection math, by design, makes selective storage irrational. A node that has lost even ten percent of a file's data has a 99.997 percent chance of being caught per challenge. With twelve challenges per file per year, expected time to detection is measured in weeks, not years. The staked capital at risk typically exceeds storage costs by orders of magnitude. The protocol does not need to challenge every byte. It needs only to make the expected cost of dishonesty exceed any possible savings. Economic security does not emerge from goodwill or reputation. It emerges from making the dishonest strategy unprofitable for rational operators.

From this foundation, the rest of the design follows.

The user pays once. The fee is burned rather than escrowed, acting as a spam deterrent and a source of deflationary pressure, but not as the source of storage funding. The actual funding comes from perpetual KOR emissions. Storage nodes earn KOR each block in proportion to the files they store, calibrated so that the net present value of future emissions exceeds storage costs for rational operators. This is what makes it profitable to maintain files indefinitely without requiring the uploader to keep paying. A subscription model cannot deliver perpetual storage. An emission model can.

The emission weights grandfather early files permanently. Files created when the network is small receive higher reward shares than identical files created later, compensating early participants for the risk of an unproven protocol and ensuring that historically valuable data remains attractive to store as the network grows. The scaling is logarithmic rather than linear. A file a thousand times larger in bytes carries only about twice the emission weight. A kilobyte-sized file containing a private key is treated as seriously as a gigabyte of archival material, because the economic value of data is not correlated with physical size.

Sybil fragmentation is made prohibitively expensive by the dynamic stake factor. A node storing a single file must stake twenty to thirty times more capital per file than a node storing thousands. The capital-efficient strategy is consolidation, not splitting. Operator incentives align with network health without requiring governance or enforcement to impose the outcome.

The cryptographic layer uses Nova recursive SNARKs to compress multiple challenges across multiple files into a single proof. Without aggregation, proving costs would grow linearly with each file under management, pricing out operators at any real scale. With aggregation, an operator holding thousands of files can roll weeks of pending challenges into one on-chain submission, spreading the Bitcoin transaction fee across the entire proof set. Reed-Solomon erasure coding adds ten percent redundancy per codeword, so that a file stays fully rebuildable even when an individual node falls below the detection threshold. Poseidon hashing optimizes for arithmetic circuits, giving orders of magnitude better in-circuit performance than SHA-256. The proof system uses a transparent setup, requiring no trusted ceremony, which eliminates the coordination risks and residual trust assumptions that such ceremonies introduce.

Every one of these decisions traces back to the same constraint. The protocol must make honest storage the dominant strategy for rational operators. Capital costs must outweigh the operational savings from dishonesty, so that attacks which save storage costs while maintaining rewards remain unprofitable. Detection must be near-certain within short timeframes, so that the expected loss from cheating exceeds any plausible savings. Verification must be public, so that no party needs to be trusted to confirm whether nodes are performing. And the entire file storage system should be on Bitcoin. These are not engineering preferences. They are the conditions under which perpetual, trustless storage becomes possible at all.

Bitcoin's value proposition has always been a particular kind of permanence. The ledger is not alterable. The ownership is not revocable. The settlement is final. These properties have been extended before, through metaprotocols that add functionality without asking Bitcoin to be anything other than what it is. The Kontor file persistence protocol extends Bitcoin in exactly this sense. It does not ask Bitcoin to store files. It anchors an off-chain storage system to Bitcoin's consensus, inherits Bitcoin's security model, and leaves Bitcoin to do what Bitcoin already does best.