Condition-Triggered Cryptographic Asset Control via Dormant Authorization Paths
Abstract: Control of encrypted digital assets is traditionally equated with permanent possession of private keys, a model that precludes regulatory supervision, conditional delegation, and legally compliant transfer at the cryptographic layer. Existing remedies (multi-signature schemes, threshold signatures, smart contracts, custodial delegation) require persistent key exposure, on-chain state mutation, or trusted intermediaries. We introduce Condition-Triggered Dormant Authorization Paths (CT-DAP), a cryptographic asset control method built on destructible authorization factors and parameterized by a root-derivable framework satisfying deterministic key derivation, context-isolated capability generation, and authorization-bound revocation. Under CT-DAP, control rights are dormant authorization paths composed of user-held credentials and administrative factors held by independent custodians; a path remains cryptographically inactive until all factors are simultaneously available. Upon verification of predefined conditions (e.g., user consent, inheritance events, time-based triggers), the corresponding factor is released, activating the path. Revocation is achieved by destroying factors, rendering the path permanently unusable without altering the cryptographic root. We formalize the threat model, define security games for unauthorized control resistance, path isolation, and stateless revocation, and prove security under standard assumptions (AEAD security of AES-GCM-SIV, PRF security of HKDF, memory-hardness of Argon2id, collision resistance of SHA-256). We instantiate CT-DAP using the Atomic Cryptographic Entity Generative Framework (ACE-GF) and evaluate performance, demonstrating sub-second activation latency with configurable security-performance trade-offs.
Paper Prompts
Sign up for free to create and run prompts on this paper using GPT-5.
Top Community Prompts
Explain it Like I'm 14
Overview
This paper is about a new way to control encrypted digital assets (like cryptocurrency or secure digital files) that only lets people use them when certain conditions are met. Instead of always needing the private key, it creates “dormant” access routes that stay locked until the right conditions (such as user consent, a legal inheritance event, or a time trigger) are verified. It also lets you instantly turn off an access route by destroying a small piece of the authorization, without changing the asset itself or moving it.
Key Questions the Paper Tries to Answer
- How can we make digital asset control depend on real-world conditions (consent, law, time) rather than just who holds a private key?
- How can we turn access on and off quickly without changing the blockchain or moving assets?
- How can we do this in a way that is both cryptographically secure and compatible with legal processes?
How the Method Works (In Simple Terms)
Think of controlling an asset like opening a special door:
- The “master ability” to open many doors comes from a hidden root secret that only exists briefly in memory (it’s never saved as-is).
- Each “door” is an authorization path that stays locked until all the required pieces are present.
Here’s the setup in everyday terms:
- Dormant authorization paths: These are pre-made “doors” that don’t open until all needed keys for that door are available.
- User credential: Something the asset owner holds (like a strong passphrase).
- Administrative factors: Small, separate “key pieces” held by independent custodians (e.g., a bank, a notary, or an organization). They only release their piece when a defined condition is met.
- Activation: When the condition is verified (for example, a court confirms an inheritance), the custodians release their pieces. Combined with the user’s credential, this temporarily reconstructs the root secret and derives the specific key to open that door, then immediately wipes the root from memory.
- Revocation: If you want to disable an access route, a custodian securely destroys their “key piece.” That door can never be opened again, even though the master root remains unchanged and other doors still work.
To make this concrete, the paper builds on a framework called ACE-GF:
- ACE-GF creates the root secret, lets you derive many independent keys from it using context labels (like “Wallet A,” “Account #42”), and seals the root in an encrypted “artifact” that looks like a normal mnemonic but is actually ciphertext.
- Technical tools used:
- AES-GCM-SIV: A strong, misuse-resistant “lock” to encrypt the sealed artifact.
- HKDF (with SHA-256): A standard “recipe” to derive keys that stay separate for each context.
- Argon2id: A memory-hard function that makes guessing the combined credential very expensive for attackers.
- SHA-256: A standard hash to prevent collisions and ensure data integrity.
The authors also define clear roles and a threat model:
- Custodians are “honest-but-curious” (they follow rules but may try to learn extra info).
- Adversaries might steal some pieces but not all.
- A verifier (like a notary or a decentralized oracle) checks whether real-world conditions are met and signals custodians to release factors.
Main Results and Why They Matter
- Conditional activation without moving assets: Control rights can be prepared in advance and only “switched on” when conditions are met, with no on-chain changes.
- Instant, stateless revocation: Destroying a single authorization factor permanently disables a path, without rotating keys or changing the asset’s address.
- Path isolation: Keys derived for one path don’t help an attacker guess or use another path, even though they come from the same root.
- Security proofs: The paper formalizes security and shows resistance to:
- Unauthorized control (can’t activate a path without all pieces),
- Cross-path leakage (one unlocked door gives no help with another),
- Revocation that doesn’t rely on changing any global state.
- Real-world performance: On common hardware, activation takes under a second, and you can tune how strong versus how fast you want it to be.
This matters because it solves a long-standing tension: people want secure, flexible, and legally compliant control over digital assets, but current systems either expose keys, depend on on-chain contracts, or trust a custodian completely. CT-DAP offers a cryptographic middle ground.
Implications and Potential Impact
- Inheritance and estate planning: You can set up access for heirs that only activates after legally verified events, with no key sharing upfront and no asset migration later.
- Regulated custody: Banks or compliance bodies can act as custodians who release factors under proper verification, without holding the entire key or moving funds.
- Delegated control and governance: Organizations can give temporary or conditional access to team members and revoke it instantly by destroying a factor, without changing the underlying wallet.
- Better safety: Since the root secret is never stored as plaintext and paths are independent, one mistake doesn’t compromise everything.
- Less reliance on on-chain logic: Because activation and revocation don’t require smart contracts or on-chain state changes, the approach can be used across different systems and remains audit-friendly off-chain.
In short, the paper shows a practical, secure way to make digital asset control align with real-world rules and needs: access can be turned on by conditions and turned off by destroying a small piece, all enforced by strong cryptography rather than constant key possession or complex on-chain code.
Knowledge Gaps
Knowledge gaps, limitations, and open questions
The paper proposes CT-DAP but leaves several technical, security, and operational aspects under-specified or unexplored. The following concrete gaps can guide future research:
- Collusion-resilience is not analyzed: security is proved under non-colluding, honest‑but‑curious custodians; no model, security game, or construction covers malicious custodians, collusion among custodians, or custodian–verifier collusion.
- No distributed path-setup protocol: PathSetup requires all AdminFactor_i to be known when sealing, yet the paper does not specify how custodians contribute their factors without revealing them to the owner (or each other); a contributory/multi-party sealing protocol is needed.
- Revocation verifiability is undeveloped: the scheme relies on “secure erasure” of AdminFactor_i but lacks mechanisms to audit or cryptographically attest destruction, detect backups/copies, or enforce non-recoverability (e.g., HSM-backed per-factor forward-secure erasure).
- Irreversibility after activation is a security limitation: once a beneficiary obtains Cred_composite, REV, or KeyAP[j], revocation is ineffective; mitigations such as non-exportable key derivation in HSM/TEE or one-time-use activation tokens are not designed or analyzed.
- Liveness and availability guarantees are missing: the model does not address what happens if a custodian fails, disappears, or refuses to release a factor when conditions are met; redundancy, SLAs, or fallback mechanisms are not specified.
- Condition-verifier robustness is under-specified: there is no formal treatment of verifier misbehavior, false attestations, replay protection, time-bounded validity, or cross-jurisdiction disputes; decentralized oracle aggregation security is not analyzed.
- Metadata authenticity gap: salt s_j and Argon2 parameters are stored in cleartext and appear unauthenticated; the scheme should bind all metadata to the sealed artifact (e.g., as AEAD associated data) to prevent parameter-substitution and downgrade/DoS attacks.
- BIP‑39 encoding usability risks: encoding ciphertext as a standard mnemonic risks dangerous interoperability (users importing SA into conventional wallets); a distinct encoding/HRP, explicit type tags, or checksums that signal “sealed” status are not specified.
- Parameter selection guidance is absent: concrete, device‑specific Argon2id parameter profiles (CPU/GPU/ASIC cost modeling, mobile vs server targets) and selection methodology are not provided.
- Side‑channel and implementation leakage is unaddressed: there is no analysis of side-channels in Argon2id/HKDF/AES‑GCM‑SIV, memory zeroization reliability in managed runtimes, or enclave/HSM integration to bound leakage.
- Threshold conditions for activation are inflexible: paths require all factors (AND); there is no support or formalization for threshold (t‑of‑n) factor combinations or composable Boolean policies across conditions.
- Multi-path management and blast-radius control are not designed: reusing an AdminFactor across multiple paths creates correlated revocation; tooling for dependency graphs, minimal‑privilege factor assignment, and safe reuse policies is missing.
- Update and evolution of policies is unclear: adding/removing factors or creating new paths post‑deployment without resealing (or without exposing REV) is not specified; the statelessness claim does not cover policy updates.
- Integrity of the factor release channel is underspecified: beyond “TLS 1.3 with pinning,” there is no protocol for mutual authentication, replay protection, nonce/timestamping, rate limiting, audit logging, or secure session tying releases to specific conditions.
- Privacy leakage is not analyzed: the design does not quantify or mitigate leakage of path existence, beneficiary identities, or conditions to custodians/verifiers; private condition attestations (e.g., via zero‑knowledge proofs) are unexplored.
- Cross‑chain and algorithm mappings are incomplete: precise derivations from HKDF output to valid ECDSA/EdDSA/Schnorr secret keys across curves and domains (bias-free mapping, domain separation, anti‑invalid‑curve checks) are not specified.
- Time‑based triggers without on‑chain state are unclear: robust, globally consistent time proofs (e.g., Roughtime, TEE attestation) and their security/liveness trade-offs are not analyzed.
- Post‑quantum preparedness is absent: no migration path is given for PQ‑resistant KDFs/AEADs, nor analysis of quantum attack impact on HKDF‑SHA256 and AES‑GCM‑SIV within CT‑DAP.
- Realistic entropy requirements are not addressed: the security proof assumes ≥128‑bit min‑entropy in at least one credential component; guidance and mechanisms to achieve this (hardware tokens, PAKE, password hardening) are not provided.
- Equality leakage via deterministic sealing is unexamined: AES‑GCM‑SIV is deterministic; sealing two identical inputs under the same key reveals equality—risks and mitigations (e.g., per‑path diversification, randomized AAD) are not discussed.
- Metadata loss and recovery procedures are missing: loss of salt s_j or parameters renders paths unusable; backup, redundancy, and integrity‑checked recovery mechanisms are not designed.
- DoS resilience is not considered: attackers modifying stored metadata or flooding activation attempts could cause denial of service; detection, rate-limiting, and recovery strategies are not provided.
- Formal security model scope is limited: proofs rely on ROM assumptions for HKDF and Argon2id; no treatment in the standard model, no composable (e.g., UC) security framework, and the “stateless revocation” game is not fully formalized in the provided text.
- Activation auditability is not specified: there is no mechanism to produce verifiable, privacy‑preserving proofs that an activation occurred (or that a revocation was executed) to satisfy legal audit requirements.
- Composability with threshold/MPC schemes is unexplored: how CT‑DAP composes with TSS/MPC custody to combine conditional activation with distributed signing is not analyzed.
- Security under partial leaks is not quantified: the impact of partial disclosure of UserCred or some AdminFactors on offline attack cost (beyond a generic min‑entropy bound) needs concrete models and guidance.
- Custodian incentive and governance mechanisms are unspecified: economic, contractual, or cryptographic incentives to prevent premature release or to ensure timely release are not designed.
- Consistency in artifact structure needs clarification: the paper alternates between a single SA_root and per‑path SA_j with distinct salts; the exact relationship (one SA for all paths vs per‑path sealing) and its security implications require clarification.
- Asset‑layer constraints are not addressed: for account‑based systems (e.g., EOAs), changing control policies without on‑chain state may not be possible unless pre‑planned; practical deployment patterns and limitations need exploration.
- Performance at scale is unmeasured: activation latency under multiple custodians, high‑latency networks, and large numbers of paths/beneficiaries lacks empirical evaluation.
Practical Applications
Overview
Condition-Triggered Dormant Authorization Paths (CT-DAP) introduce dormant, conditionally activatable control rights for encrypted assets, with stateless revocation via destructible authorization factors and context-isolated key derivation (instantiated with ACE-GF). Below are actionable applications grouped by deployment horizon, with sectors, likely tools/products/workflows, and feasibility notes.
Immediate Applications
These can be built today with custom wallet/custody/KMS integrations, standard AEAD/HKDF/Argon2id primitives, and existing legal/oracle verification processes.
- Estate and inheritance activation for digital assets (Finance, Legal, Consumer)
- Use case: A beneficiary’s access remains dormant until a notary/probate verifier attests a legally recognized inheritance event; a custodian releases an admin factor to activate the path; revocation is a one-step factor destruction.
- Tools/workflows: CT-DAP-enabled wallet or custodian portal; sealed artifact (BIP-39-like) stored by owner; verifier-signed attestation; custodian-held factors.
- Dependencies/assumptions: Trusted verifiers and non-colluding custodians; legal recognition of digital attestations; secure factor delivery; sufficient user/admin factor entropy.
- Institutional custody holds and releases without on-chain mutation (Finance/Compliance/Custody)
- Use case: VASPs/institutional custodians gate client signing keys behind CT-DAP factors for compliance holds, sanctions, or court orders; activation upon verified clearance; immediate freeze by factor destruction.
- Tools/workflows: Custody platforms integrate CT-DAP activation APIs and audit logs; policy-driven factor management; SOC processes.
- Dependencies/assumptions: Policies aligning to Assumption V (verifier integrity); audit requirements; regulator acceptance; controlled operational latency.
- “Break-glass” emergency access for enterprises (Healthcare, Enterprise IT/SecOps)
- Use case: Dormant emergency path for critical systems (e.g., EHR admin, root cloud account) activated only after incident criteria and multi-party approval; revoked post-incident without key rotation.
- Tools/workflows: CT-DAP gateway in front of KMS/SSO; ticketed approvals; secure factor escrow with security office/CISO.
- Dependencies/assumptions: Well-defined incident policy; HSM-backed factor storage; attested erasure for revocation (optional but recommended).
- Delegated signing with stateless revocation (Software supply chain/DevOps)
- Use case: Grant contractors or internal teams time-bounded signing capability (code signing, package publishing) via a dormant path; revoke by destroying a specific admin factor, no key migration.
- Tools/workflows: CT-DAP wrapper for code-signing CAs or Sigstore; per-project contexts; audit trail of factor lifecycle.
- Dependencies/assumptions: Integration with CI/CD; Argon2id tuning matching build infra; policy gates to prevent unauthorized factor release.
- API/KMS access lifecycle without rotating master secrets (Cloud/SaaS)
- Use case: Gate unsealing of a root entropy value (REV) that deterministically derives context-isolated API/KMS keys; revoke an app/team by destroying its factor; keys re-derived on demand.
- Tools/workflows: CT-DAP front-end to cloud KMS or self-hosted HSM; per-service contexts; service account mapping.
- Dependencies/assumptions: KMS/HSM plugin capability; secure salt/SA storage; monitoring for activation events.
- OTC settlement and M&A escrow (Finance, Legal)
- Use case: Activation of control paths for escrowed assets when closing documents and funds are verified; mediator releases factor; revoke path if conditions fail without moving assets.
- Tools/workflows: Deal room platform with verifier integration; mediator custodians; policy-bound factor distribution.
- Dependencies/assumptions: Contractual clarity on release conditions; secure channels; audit logs for legal defensibility.
- Family/guardian controls and time-based allowances (Fintech/Consumer/Education)
- Use case: Children’s wallets or allowances remain dormant until parent/guardian factor is released or a time trigger elapses; revocation by factor destruction.
- Tools/workflows: Consumer wallets with CT-DAP; time-based verifiers (trusted timestamp/oracle); parental dashboards.
- Dependencies/assumptions: Reliable time/oracle services; UX for factor custody; recovery procedures.
- Legal-hold/regulated data access gates (Enterprise, LegalTech)
- Use case: Encrypted data vaults or logs where decryption keys are derived only when legal-hold criteria are verified; revoke access capability after case completion without re-encryption.
- Tools/workflows: CT-DAP controlling decryption key derivation; legal-hold verifier; audit logging.
- Dependencies/assumptions: Data retention policy alignment; confidentiality of admin factors; verifier auditability.
- Device fleet feature/firmware signing gates (IoT/Manufacturing)
- Use case: Firmware signing keys derived only when manufacturing QA or field-service conditions are met; revoke contractor/manufacturer path without re-keying devices.
- Tools/workflows: CT-DAP in signing pipeline; per-model/per-batch contexts; factory HSM custody of factors.
- Dependencies/assumptions: Secure HSM/TEE for factor storage; device trust anchors; robust erase semantics for revocation.
- DAO/protocol guardian safety keys off-chain (Web3/Software)
- Use case: Emergency admin keys for pausing/upgrades remain dormant; activation requires multi-custodian factor releases; revocation via factor destruction without on-chain governance changes.
- Tools/workflows: CT-DAP-gated signer for guardians; per-action contexts; incident runbooks.
- Dependencies/assumptions: Clear governance around factor custodians; transparency/audit to community; oracle risks mitigated.
Long-Term Applications
These require further research, standardization, or ecosystem maturation (e.g., decentralized verifiers, legal frameworks, PQ readiness, large-scale ops).
- Wallet and custody standardization (e.g., BIP for sealed-artifact mnemonics) (Standards/Web3)
- Value: Interoperable CT-DAP across wallets/HW vendors.
- Dependencies: Community consensus; test vectors; formal spec of context encoding and SA format.
- Hybrid CT-DAP + MPC custody (Institutional Finance)
- Value: Conditional activation on top of distributed signing; factors gate MPC session start or share release.
- Dependencies: Protocol design to avoid new attack surfaces; liveness under partial custody failures; performance profiling.
- Decentralized, privacy-preserving condition verification (LegalTech/Oracles)
- Value: Oracle networks issuing attestations for events (e.g., death, court orders) with multi-source aggregation and potentially zero-knowledge proofs.
- Dependencies: Data access agreements; privacy laws; oracle incentive mechanisms; zk circuits for legal conditions.
- CBDCs and tokenized RWA control policies (Public Sector/Finance)
- Value: Regulator- or institution-held factors aligning cryptographic control with statutory mandates (e.g., freezes, recovery).
- Dependencies: Policy frameworks; public oversight; risk analyses for concentration of factor control.
- Insurance-backed custody with cryptographic audit trails (Finance/Insurance)
- Value: Premiums conditioned on factor custody posture and attested revocation logs.
- Dependencies: Audit and certification standards; insurer actuarial models for CT-DAP risk.
- Post-quantum CT-DAP (Cybersecurity)
- Value: PQ-safe sealing and derivation (e.g., KDFs, AEADs) to future-proof dormant paths.
- Dependencies: Mature PQ AEAD/KDF standards; performance evaluation; migration guidance.
- Travel rule/compliance-by-design paths (Crypto Compliance)
- Value: Paths requiring VASP-held factors for certain transfers; automated, stateless revocation upon risk flags.
- Dependencies: Regulatory acceptance; user autonomy and portability; verifier SLAs.
- Massive-scale IoT lifecycle management (Manufacturing/Automotive/Energy)
- Value: Fleet-wide, condition-triggered signing and feature control without device re-keying; per-device context isolation.
- Dependencies: Supply chain security; scalable factor distribution/rotation; field revocation telemetry.
- Cross-chain and cross-domain identity/control interop (Web3/Identity)
- Value: Use contexts to derive per-chain keys from a single REV while keeping paths isolated; unify asset control across chains.
- Dependencies: Bridge/oracle reliability; standard context schemas; recovery UX.
- Formal verification and configuration tooling (Academia/Tooling)
- Value: Static analyzers and provers for path isolation, revocation reachability, and misconfiguration detection.
- Dependencies: Formal models; developer-friendly DSLs; integration with CI.
- Remote attestation of factor destruction (Compliance/Hardware)
- Value: Cryptographic proofs (HSM/TEE) that factors were securely erased for audit/regulatory purposes.
- Dependencies: Vendor support; standards for erasure attestations; verifier trust anchors.
- Zero-knowledge attestations for sensitive conditions (Privacy/LegalTech)
- Value: Prove that a condition (e.g., jurisdictional status, age, death event) holds without disclosing PII.
- Dependencies: Data custodians issuing zk-friendly credentials; legal acceptance; efficient proof systems.
Notes on Feasibility and Assumptions
- Security assumptions: AEAD (AES-GCM-SIV) IND-CPA/INT-CTXT, HKDF PRF security, Argon2id memory-hardness, SHA-256 collision resistance; at least one credential component with high min-entropy; correct and non-colluding custodians (or bounded collusion).
- Operational dependencies: Reliable condition verifiers (TTP or decentralized oracles); secure factor custody and transmission; robust secure-erasure procedures; audit logging; UX for SA storage and recovery.
- Performance: The paper shows sub-second activation on commodity hardware with tunable Argon2id parameters; deployments must calibrate for device/server capabilities.
- Legal/regulatory: Many high-value use cases depend on legal recognition of digital attestations and alignment of cryptographic revocation/activation with statutory processes.
Glossary
- ACE-GF (Atomic Cryptographic Entity Generative Framework): A seed-storage-free framework that derives context-isolated control keys from an ephemeral root and enables revocation via destructible credential components. "We instantiate CT-DAP using the Atomic Cryptographic Entity Generative Framework (ACE-GF)~\cite{acegf-tr}"
- AEAD (Authenticated Encryption with Associated Data): A symmetric encryption primitive providing confidentiality and integrity for ciphertexts and associated data. "AEAD security---IND-CPA and INT-CTXT---of AES-GCM-SIV"
- AES-256-GCM-SIV: A nonce-misuse-resistant AEAD scheme combining AES with GCM-SIV for deterministic authenticated encryption. "The sealing mechanism uses AES-256-GCM-SIV~\cite{rfc8452}, providing deterministic, nonce-misuse-resistant authenticated encryption."
- Argon2id: A memory-hard password-based key derivation function designed to resist GPU/ASIC brute-force attacks. "Argon2id~\cite{argon2} provides memory-hard key derivation with resistance to offline brute-force attacks;"
- Authorization-Bound Revocation: A revocation method where destroying a required credential component permanently disables access without changing the root or on-chain state. "authorization-bound revocation via destructible credential components."
- BIP-32: A Bitcoin standard for hierarchical deterministic (HD) key derivation from a single seed. "BIP-32~\cite{bip32}"
- BIP-39: A Bitcoin standard defining mnemonic phrases that encode entropy for wallet seeds. "BIP-39~\cite{bip39}"
- BIP-44: A Bitcoin standard specifying multi-account HD wallet structure over multiple coins. "BIP-44~\cite{bip44}"
- Ciphertext-Policy Attribute-Based Encryption (CP-ABE): A public-key encryption paradigm where ciphertexts embed access policies and keys carry attributes. "Ciphertext-policy attribute-based encryption (CP-ABE)~\cite{bethencourt2007cpabe}"
- Collision Resistance: A hash function property making it computationally infeasible to find two distinct inputs with the same output. "collision resistance of SHA-256)"
- Condition-Triggered Dormant Authorization Paths (CT-DAP): A cryptographic control method where rights are pre-defined and become active only when external conditions release required factors. "We introduce Condition-Triggered Dormant Authorization Paths (CT-DAP)"
- Context Isolation: A property ensuring keys derived for different contexts from the same root are computationally independent. "Context Isolation: For distinct contexts , the values"
- Decentralized Oracle: A distributed system that attests to off-chain conditions for on-chain or cryptographic use without a single point of failure. "decentralized oracle network~\cite{adler2018astraea}"
- Dormant Authorization Path: A pre-established but cryptographically inactive control path that requires additional factors to activate. "Dormant Authorization Path;"
- FROST: A modern threshold signature scheme based on Schnorr signatures optimized for fewer rounds. "FROST~\cite{frost}"
- GG18: A threshold ECDSA signature protocol enabling distributed signing without reconstructing the private key. "GG18~\cite{gg18}"
- GG20: An improved threshold ECDSA protocol offering enhanced efficiency and security properties. "GG20~\cite{gg20}"
- HKDF (HMAC-based Key Derivation Function): A widely used PRF-based KDF that extracts and expands keys using HMAC over a hash function. "HKDF-SHA256~\cite{rfc5869}"
- HMAC-SHA256: A message authentication code built from SHA-256, used as a PRF within HKDF. "HMAC-SHA256"
- IND-CPA (Indistinguishability under Chosen-Plaintext Attack): A standard confidentiality notion stating ciphertexts reveal no information about chosen plaintexts. "IND-CPA and INT-CTXT"
- INT-CTXT (Integrity of Ciphertexts): A security notion ensuring ciphertexts cannot be forged or altered without detection. "IND-CPA and INT-CTXT"
- Memory-Hardness: A property requiring substantial memory to compute a function, impeding parallel brute-force attacks. "memory-hardness of Argon2id"
- Multi-Party Computation (MPC): Cryptographic protocols allowing parties to jointly compute a function over inputs while keeping those inputs private. "multi-party computation (MPC)"
- Nonce-Misuse Resistance: An AEAD property maintaining security even if nonces are reused. "Nonce-Misuse Resistance: The sealing mechanism uses AES-256-GCM-SIV"
- Pseudorandom Function (PRF): A deterministic function indistinguishable from random to any efficient adversary without the key. "PRF security of HKDF in the random-oracle model"
- Random Oracle Model (ROM): An idealized model treating hash functions as random oracles for security proofs. "in the random-oracle model"
- Root Entropy Value (REV): The core secret root from which all context-specific control keys are deterministically derived. "Generates a 256-bit Root Entropy Value"
- Sealed Artifact (SA): An encrypted, persistent ciphertext container that protects the root until correct credentials are provided. "producing a sealed artifact."
- Shamir's Secret Sharing: A threshold scheme that splits a secret into shares requiring a minimum subset to reconstruct. "Shamir's secret sharing~\cite{shamir79}"
- Smart Contract: On-chain code that enforces programmable policies and state transitions autonomously. "Smart contracts~\cite{wood2014ethereum,szabo1997smart}"
- Stateless Revocation: Disabling access without maintaining or mutating global state or rotating keys. "Stateless Revocation;"
- Threshold Signature Scheme (TSS): A protocol where a subset of participants collectively produces a signature without reassembling the secret key. "threshold signature protocols (e.g., GG18~\cite{gg18}, GG20~\cite{gg20}, FROST~\cite{frost})"
- Time-Lock Puzzle: A cryptographic construction that forces a predetermined amount of sequential work before revealing a secret. "Time-lock puzzles~\cite{rivest1996timelock}"
- Verifiable Delay Function (VDF): A function that requires a set amount of sequential time to compute, with a proof that verifies quickly. "verifiable delay functions (VDFs)~\cite{boneh2018vdf}"
- Zeroization: Securely erasing sensitive material from memory to prevent future recovery. "zeroizes from memory, and returns the control key."
Collections
Sign up for free to add this paper to one or more collections.