Architecture

Four services. Dual signatures. Fail-closed enforcement. Every decision produces a cryptographic receipt or the action does not execute.

Four-Service Architecture

Issuer

Issuer

Issues consent tokens (CDTs) and signs receipts. Generates dual signatures with post-quantum cryptography. Every consent decision — ALLOW or DENY — produces a signed receipt.

Verifier

Verifier

Validates consent tokens against policy state and revocation epoch. If token is invalid or absent, the action is denied. Fail-closed.

Policy Registry

Policy Registry

Stores canonical policy definitions, consent deltas, and revocation epochs. Append-only. Epoch flip = instant revocation across all enforcement points.

Oracle

Oracle

Hardware-timed attestation service. Provides tamper-evident timestamps and hardware attestation quotes. Clock skew resistant.

Enforcement Flow

T0
TriggerAction request arrives at the consent gate
T0+
EvaluateVerifier validates consent token against current policy state
T1
InitiateDecision made: ALLOW or DENY. Receipt generation begins. SLA: ≤ 8ms
T1+
SignDual signature: classical + post-quantum. Optional zero-knowledge proof
T2
CompleteReceipt committed to accumulator. Chain-linked. SLA: ≤ 12ms
T2+
RegisterReceipt URI written to Policy Registry. Non-repudiation anchored

Receipt Data Model

Every receipt is a JSON-LD Verifiable Credential containing dual cryptographic signatures, timing attestations, accumulator membership proof, and registry URI. Receipts are issued for every decision — ALLOW and DENY alike.

FieldDescription
@contextW3C Verifiable Credentials + FinalBoss CDT schema
type["VerifiableCredential", "CDTDeletionReceipt"]
idURN UUID — globally unique receipt identifier
issuerDID of the Issuer service
verifierDID of the Verifier service
credentialSubjectSubject pseudonym, dataset, policy hash, revocation epoch, CDT, event type
timestampsT0 (trigger), T1 (start), T2 (complete) — hardware-attested
durations_msInit (T0→T1) and Complete (T0→T2) in milliseconds
evidenceRAM zeroization, cache overwrite, DFS pointer orphaning, media key forget
accumulator_rootMerkle accumulator root — append-only membership proof
registry_uriDID URI for non-repudiation registry lookup
zk_proofZero-knowledge proof with public inputs: CDT, root, epoch, T1, T2
proof[]Dual signatures: classical + post-quantum hybrid

Timing SLA

Hot-Path Performance (p99)

Initiation (T0 → T1)≤ 8ms
SLA: PASS
Completion (T0 → T2)≤ 12ms
SLA: PASS

Benchmark Details

Test runs120
Clock sourceHardware-attested
TimingTamper-evident
Init SLA (≤ 8ms)PASS
Complete SLA (≤ 12ms)PASS
Off-path media sanitization and ZK proof generation are out of SLA scope.

Cryptographic Posture

ActiveClassical

Classical Signatures

NIST-approved algorithms. Industry-standard. Every receipt dual-signed.

ActivePost-Quantum

Post-Quantum Signatures

NIST-approved post-quantum algorithms. Resistant to quantum computing attacks. Harvest-now-decrypt-later defense.

OptionalZero-Knowledge

Zero-Knowledge Proofs

Optional ZK proof binding consent token, accumulator root, revocation epoch, and timing data. Verifiable without revealing inputs.

Verification Workflow

Any third party can independently verify a receipt offline. Five steps. No platform access required.

1

Schema + SLA Gate

Validate receipt against JSON-LD schema. Confirm all required fields present. Check timing SLA: init ≤ 8ms, complete ≤ 12ms.

validate_receipt.py receipt.jsonld → [OK]
2

Signature Verification

Verify both classical and post-quantum signatures over the canonical receipt payload. Both must pass.

verify_classical(receipt, pubkey) && verify_pq(receipt, pq_pubkey)
3

Zero-Knowledge Proof

Verify zero-knowledge proof with public inputs: CDT, accumulator_root, revocation_epoch, T1, T2.

zk_verify(proof, [cdt, root, epoch, t1, t2])
4

Accumulator Membership

Recompute Merkle path from leaf hash through sibling hashes. Confirm root matches accumulator_root in receipt.

merkle_verify(leaf, siblings, root) → true
5

Registry Lookup

Query Policy Registry by receipt_id. Confirm block number, index, and timestamp. Ensure no replay (unique receipt).

registry_lookup(receipt_id) → FOUND, no_replay

Threat Model & Controls

Insider Edits / Backdating

Quorum receipts with dual signatures. Append-only accumulator prevents history rewriting. Oracle provides hardware-attested timestamps.

Clock Skew / Manipulation

Hardware-attested timing. Tamper-evident timestamps from Oracle. Temporal ordering enforced: T0 ≤ T1 ≤ T2.

Replay / Partial Delete

Revocation epochs with fail-closed semantics. Epoch flip invalidates all tokens instantly. CDT recomputation required per-request.

Ledger Equivocation

Append-only Merkle accumulators. Registry non-repudiation with unique receipt URIs. Skip-list structure prevents fork attacks.

Patent Pending Examination

Protected by Multiple Patent Filings

Consent Enforcement
Patent Pending Examination
Receipt Infrastructure
Patent Pending Examination
AI Governance
Patent Pending Examination

35 patent applications across 7 technology clusters. All Patent Pending Examination. Details available under NDA.

Want the full technical whitepaper?

15-minute demo. Real receipts. Offline verification pack included.

Request Technical Deep Dive