Architecture

Four services. Cryptographic signatures. Fail-closed enforcement. Every decision produces a cryptographic receipt or the action does not execute.

Four-Service Architecture

Issuer

Issuer

Issues consent tokens and signs receipts. Every consent decision — ALLOW or DENY — produces a cryptographically signed receipt.

Verifier

Verifier

Validates consent tokens against policy state. If token is invalid or absent, the action is denied. Fail-closed.

Policy Registry

Policy Registry

Stores policy definitions and consent state. Immutable. Supports instant revocation across all enforcement points.

Oracle

Oracle

Hardware-timed attestation service. Provides tamper-evident timestamps and hardware attestation quotes. Clock skew resistant.

Enforcement Flow

T0
TriggerAction request arrives at the consent gate
T0+
EvaluateVerifier validates consent token against current policy state
T1
InitiateDecision made: ALLOW or DENY. Receipt generation begins.
T1+
SignCryptographic signature applied. Optional zero-knowledge proof
T2
CompleteReceipt committed and chain-linked.
T2+
RegisterReceipt URI written to Policy Registry. Non-repudiation anchored

Receipt Data Model

Every receipt is a JSON-LD Verifiable Credential containing dual cryptographic signatures, timing attestations, accumulator membership proof, and registry URI. Receipts are issued for every decision — ALLOW and DENY alike.

FieldDescription
@contextW3C Verifiable Credentials + FinalBoss consent schema
type["VerifiableCredential", "CDTDeletionReceipt"]
idURN UUID — globally unique receipt identifier
issuerDID of the Issuer service
verifierDID of the Verifier service
credentialSubjectSubject pseudonym, dataset, policy reference, consent status, event type
timestampsT0 (trigger), T1 (start), T2 (complete) — hardware-attested
durations_msInit (T0→T1) and Complete (T0→T2) in milliseconds
evidenceRAM zeroization, cache overwrite, DFS pointer orphaning, media key forget
accumulator_rootCryptographic accumulator — tamper-evident membership proof
registry_uriDID URI for non-repudiation registry lookup
zk_proofZero-knowledge proof binding consent decision to timing attestation
proof[]Cryptographic signatures: quantum-resistant

Timing SLA

Hot-Path Performance (p99)

Initiation (T0 → T1)Real-time
SLA: PASS
Completion (T0 → T2)Real-time
SLA: PASS

Benchmark Details

Test runs120
Clock sourceHardware-attested
TimingTamper-evident
Init SLAPASS
Complete SLAPASS
Off-path media sanitization and ZK proof generation are out of SLA scope.

Cryptographic Posture

ActiveClassical

Classical Signatures

Industry-standard algorithms. Every receipt cryptographically signed.

ActivePost-Quantum

Post-Quantum Signatures

Quantum-resistant algorithms. Resistant to quantum computing attacks. Harvest-now-decrypt-later defense.

OptionalZero-Knowledge

Zero-Knowledge Proofs

Optional ZK proof binding consent token, accumulator root, revocation epoch, and timing data. Verifiable without revealing inputs.

Verification Workflow

Any third party can independently verify a receipt offline. Five steps. No platform access required.

1

Schema + SLA Gate

Validate receipt against JSON-LD schema. Confirm all required fields present. Check timing SLA compliance.

validate_receipt.py receipt.jsonld → [OK]
2

Signature Verification

Verify cryptographic signatures over the receipt payload. All signatures must pass.

verify_signatures(receipt, pubkeys) → PASS
3

Zero-Knowledge Proof

Verify zero-knowledge proof binding consent decision to timing attestation.

zk_verify(proof, public_inputs) → PASS
4

Accumulator Membership

Verify cryptographic accumulator membership. Confirm receipt is included in the tamper-evident record.

accumulator_verify(receipt, root) → true
5

Registry Lookup

Query Policy Registry by receipt_id. Confirm block number, index, and timestamp. Ensure no replay (unique receipt).

registry_lookup(receipt_id) → FOUND, no_replay

Threat Model & Controls

Insider Edits / Backdating

Quorum receipts with cryptographic signatures. Tamper-evident accumulator prevents history rewriting. Oracle provides hardware-attested timestamps.

Clock Skew / Manipulation

Hardware-attested timing. Tamper-evident timestamps from Oracle. Temporal ordering enforced: T0 ≤ T1 ≤ T2.

Replay / Partial Delete

Proprietary revocation mechanism with fail-closed semantics. Instant token invalidation across all enforcement points.

Ledger Equivocation

Tamper-evident accumulators. Registry non-repudiation with unique receipt URIs. Anti-fork protections.

Patent Pending Examination

Protected by Multiple Patent Filings

Consent Enforcement
Patent Pending Examination
Receipt Infrastructure
Patent Pending Examination
AI Governance
Patent Pending Examination

35 patent applications across 7 technology clusters. All Patent Pending Examination. Details available under NDA.

Want the full technical whitepaper?

15-minute demo. Real receipts. Offline verification pack included.

Request Technical Deep Dive