Every public key registration is logged in a tamper-evident Merkle tree. Verify that a device is registered without seeing the payload — analogous to CT logs for HTTPS.