Loading...
xail Patent Portfolio / Application 2
← Back to Portfolio Sign out
Application 2 · Claim Map

Information-Theoretically Threshold Split-Channel Communication Over DID Service Endpoints with Bounded Blast Radius

Secure machine-to-machine communication via DID documents, threshold IDA, and three-dimensional compromise bounding. No single operator sees plaintext. Key compromise is temporally, scope, and content bounded.

20 Claims Filed 5 Independent 15 Dependent 19 Method 5 System 2 CRM
20
claims filed
5
independent
15
dependent
8
figures
3
blast radius dims
Filing Strategy: Claims are organized into filing groups. Group A (20 claims) files now. Group B (6 claims) is reserved for a continuation application using the same specification. All claims are supported by the current specification.
GROUP A · FILING NOW · 20 claims · 5 independent Core split-channel + bounded blast radius + trust registry
Independent Claim 1 · Method

Core Split-Channel Delivery via DID Endpoints

Secure message delivery between automated entities via DID documents and threshold IDA. Resolve recipient DID, select channels from independent operators, encrypt, sign, split, and transmit shares to channel endpoints.

CLAIM 1 METHOD Resolve recipient DID, select channels from independent operators, encrypt payload, assemble signed envelope, apply threshold IDA, transmit shares to channel endpoints, accumulate + verify + reconstruct. USE CASE IoT sensors split encrypted telemetry across 3 cloud providers — no single provider reads the data. C2 Heterogeneous channels (HTTP + email) C3 XorIDA over GF(2); email as special case C4 Per-share HMAC keyed by msg ID + share index C5 Delivery receipt tracking per share C6 Share envelope format (UUID, index, k, data) C7 IDA on ciphertext only; no operator sees plaintext C8 Hierarchical scope bound to signature C9 Replay prevention (nonce TTL + timestamp)
Independent Claim 10 · Method

Bounded Blast Radius: Temporal + Scope + Content

Three independent bounds on signing key compromise: temporal (nonce TTL + timestamp max age), scope (directed permission graph), and content (encrypt-then-sign with separate keys). Immediate revocation via trust registry.

CLAIM 10 METHOD Three independent bounds: temporal (nonce TTL + timestamp max age), scope (directed permission graph), content (encrypt-then-sign). Immediate revocation via trust registry update. USE CASE Stolen agent key: damage limited to 30s window, agent's permissions only, zero past message access. C11 Temporal bound: 30s max age, 60s+ nonce TTL Specific timing parameters for replay window C12 Adding threshold IDA split-channel to bounded blast radius
Independent Claim 13 · System

Trust Registry System

System for managing cryptographic identity and authorization: trust registry with DID, public key, role, and revocation. Directed permission graph, DID resolver, envelope verifier, and instant revocation interface.

CLAIM 13 SYSTEM Trust registry (DID, public key, role, revocation), directed permission graph, DID resolver, envelope verifier (timestamp, nonce, signature, permission), and immediate revocation interface. USE CASE Hospital network: each medical device has a DID. Revoking a compromised MRI is instant. C14 Hosted service with audit metadata (no content logged) C15 Nonce store: atomic set-if-not-exists with TTL >= 2x timestamp window C16 Permission edges w/ expiry; per-request, never cached
Independent Claim 17 · Computer-Readable Medium

Envelope Verification Pipeline

Instructions for receiving an envelope, rejecting stale timestamps, atomically checking nonces, resolving sender DID, verifying Ed25519 signature, querying the permission graph, and decrypting the payload.

CLAIM 17 CRM Receive envelope, reject if timestamp outside window, atomically check nonce, resolve sender DID + verify signature, query permission graph, decrypt payload. USE CASE Trading bot verifies timestamp, nonce, signature, and 'trade.execute' scope before executing. C18 Share envelope reception + threshold reconstruction
Independent Claim 19 · Method

Cross-Organizational Split-Channel

Secure cross-org communication: encrypt and threshold IDA across 3+ independent operators. Neither organization holds reconstructable shares. Compromise of either org alone reveals nothing. Satisfies attorney-client, HIPAA, and SEC requirements.

CLAIM 19 METHOD Encrypt + threshold IDA across 3+ independent operators. Neither org holds reconstructable shares. Compromise of either org alone reveals nothing. USE CASE Law firm + client: shares traverse AWS, Azure, private relay. No single subpoena reveals content. C20 Regulatory confidentiality (attorney-client, HIPAA, SEC)
GROUP B · CONTINUATION 1 · 6 claims Signing key custody + cross-org split-channel
Independent Claim 21 · Method

Encrypt-Then-Split-Ciphertext Protocol Order CONTINUATION 1

Encrypt payload first, then split ciphertext via threshold IDA. Signature covers ciphertext (not plaintext). At recipient: accumulate shares, verify, reconstruct ciphertext, verify signature, decrypt.

CLAIM 21 METHOD Encrypt payload, split ciphertext via threshold IDA. Signature covers ciphertext, not plaintext. Recipient: accumulate, verify, reconstruct, verify sig, decrypt. USE CASE Defense contractor: AES-encrypted specs are XorIDA-split. Relay compromise yields ciphertext fragments only. C22 Information-theoretic guarantee: fewer than k shares = zero information
Independent Claim 23 · Method

Signing Key Custody via Threshold Dispersal CONTINUATION 1

Generate asymmetric keypair, apply threshold IDA to private key producing n shares distributed to independent custody locations. Reconstruct transiently only at signing time, discard immediately. Key never exists complete except during signing.

CLAIM 23 METHOD Generate keypair, threshold IDA private key into n shares across independent custody locations. Reconstruct transiently at signing time only, then discard immediately. USE CASE Financial institution: master signing key split across 3 data centers. Exists in memory for ms only. C24 XorIDA over GF(2) + HSM custody location
Independent Claim 25 · System · Standalone

Trust Registry Apparatus CONTINUATION 1

Comprehensive system: entity identity store, directed permission graph, nonce store, DID resolver, envelope verifier, revocation interface. Three-dimensional bounded blast radius enforced by coordinated operation.

CLAIM 25 SYSTEM STANDALONE Entity identity store, directed permission graph, nonce store, DID resolver, envelope verifier, revocation interface. Three-dimensional bounded blast radius enforced by coordinated operation of all components. USE CASE Enterprise trust registry appliance managing 10,000 agent identities. Sub-1ms verification. Instant revocation on compromise.
Independent Claim 26 · Method · Standalone

Bounded Blast Radius Without Threshold Sharing CONTINUATION 1

Bounding signing key compromise without IDA: distinct key pairs for signing/encryption, per-message nonce and timestamp, signed envelope. Compromise bounded temporally, by scope, and by content.

CLAIM 26 METHOD STANDALONE Distinct key pairs for signing and encryption. Per-message nonce + timestamp. Signed envelope. Three-dimensional compromise bounding without threshold sharing: temporal, scope, and content independence. USE CASE Startup without multi-channel needs: API signing keys cannot read past messages, are timestamp- bounded, and scope-restricted by the permission graph.