Dynamic Device Hash for Pseudonymous Authentication: Volatile Identity Without Stored Credentials

Mechanism

The Dynamic Device Hash (DDH) is a volatile authentication artifact produced by an extractor function executed within the participating device at the moment the device requests admission to the adaptive index. The extractor draws from a defined entropy basis: hardware random-number sources where available, ephemeral system-state measurements (memory occupancy, scheduler timing, peripheral interrupt patterns), volatile sensor readings, and a session-bound nonce previously emitted by the index anchor with which the device intends to transact. The resulting digest is a fixed-length value that has no meaning outside the immediate session and that cannot be regenerated in the absence of the originating device's live entropy state.

Authorization to read from or write to the index is granted only when a presented DDH validates against an anchor's continuity record for the device-thread it claims to extend. The anchor does not store the device's prior DDHs in plaintext; it stores a chained commitment, such that each new DDH must be demonstrably derived from the previous DDH through the device's local entropy evolution. The chain forms a verifier graph: each session's hash is a node, each transition is an edge, and admissibility is a reachability check against the most recent committed node.

Per-session rotation is intrinsic. A DDH valid at session N is structurally invalid at session N+1; the anchor refuses any presentation that attempts to reuse a prior digest, and any device attempting reuse self-evicts from its own continuity chain. The chain is tamper-evident in both directions: an attacker who replays a captured DDH triggers a chain divergence that is recorded against the legitimate device-thread, alerting the anchor and downstream auditors that the thread has been forked or impersonated.

Payload binding is achieved by including the payload digest in the entropy basis from which the DDH is extracted. A DDH therefore authorizes one specific payload submitted by one specific device-thread in one specific session. Detaching the payload from the hash invalidates the hash; substituting the payload invalidates the hash; replaying the hash against a different payload invalidates the hash. The credential is non-transferable by construction, not by policy.

Operating Parameters

The extractor produces digests of a length sufficient to resist birthday-bound collisions across the expected lifetime of a device-thread, with embodiments using 256-bit or 512-bit outputs depending on the cryptographic suite negotiated between the device and the anchor. Rotation cadence is parameterized: the default embodiment rotates per session, where a session is bounded by either an idle timeout (typically measured in tens of seconds) or a transaction count threshold, whichever is reached first. Higher-assurance embodiments rotate per individual payload submission, eliminating any window in which a captured hash retains validity.

The entropy basis is configurable at deployment. A minimal embodiment combines a hardware RNG output with the anchor-issued nonce and the payload digest. A richer embodiment incorporates volatile sensor data, scheduler-derived timing entropy, and peripheral-state fingerprints. The extractor is required to be a strong randomness extractor in the cryptographic sense, such that an adversary observing any subset of the inputs gains negligible information about the output.

Continuity-chain depth is also parameterized. A short chain (a handful of recent DDHs) is sufficient for low-stakes participation; a long chain accumulates trust weight and supports higher-value transactions. Anchors maintain pruning policies: chain commitments older than a configured horizon are summarized into a Merkle root that preserves auditability without requiring unbounded storage. Pruned roots remain available to forensic auditors with appropriate credentials.

Latency is bounded by the time required to gather entropy, run the extractor, and validate the chain commitment. In practice this is dominated by the extractor's compute cost, which is sub-millisecond on commodity hardware. Tamper-evidence checks add a single chain-link verification on the anchor side, which is similarly negligible. The mechanism is therefore suitable for high-throughput indexing workloads where every read and write is independently authorized.

Trust-weight accumulation is parameterized by a function that maps successful authorizations to incremental weight, with diminishing returns over time so that recently active device-threads carry meaningful weight without permitting indefinite trust inflation. The function is configurable per anchor and per index region, supporting policy regimes in which certain regions require freshly accumulated trust while others tolerate longer accumulation horizons. Divergence events deduct from the accumulator at a configurable rate, with severe divergences (such as detected replays) triggering immediate quarantine of the device-thread pending forensic review by a credentialed auditor.

Interoperability parameters cover the negotiation between device and anchor at session inception. The device proposes an extractor suite and a rotation discipline; the anchor accepts, counters with a more stringent profile, or refuses. The negotiation itself is bound into the session's first DDH so that any subsequent attempt to renegotiate downward is detectable as a chain divergence. This binding ensures that the security profile of a device-thread is monotonic across its lifetime under any single anchor relationship.

Alternative Embodiments

In a first alternative embodiment, the DDH is produced by a hardware-rooted extractor (a TPM, secure enclave, or equivalent) that signs the digest internally before release. This embodiment trades the strict no-persistent-secret property for stronger evidence of device provenance, and is appropriate where regulatory constraints require attestation that the device meets a defined hardware baseline.

In a second alternative embodiment, the device-thread is composed of multiple physical devices acting as a quorum. Each device contributes partial entropy to the extractor, and the resulting DDH is valid only when a configurable threshold of contributing devices is present. This embodiment supports operator-bound or institution-bound device-threads where loss of any single device must not compromise the thread's continuity.

In a third alternative embodiment, the continuity chain is anchored not in a single index anchor but in a distributed quorum of anchors. The DDH is committed to multiple anchors in parallel, and admissibility requires concurrence among a threshold of them. This embodiment hardens the framework against compromise of any single anchor and supports cross-jurisdictional indices where no single anchor holds dispositive authority.

In a fourth alternative embodiment, the device-thread is permitted to fork deliberately, producing two valid descendant chains from a single ancestor DDH. The fork is itself a credentialed event, signed by a delegating authority, and is used to migrate a device-thread across a hardware change, a custodial transfer, or a controlled handoff between operators. Unauthorized forks remain detected as chain divergences and treated as tamper events.

In a fifth alternative embodiment, the DDH carries a secondary binding to a non-device context, such as a geographic envelope, a temporal window, or a regulatory jurisdiction. Presentations outside the bound context are inadmissible regardless of chain validity. This embodiment supports indices whose authorization model includes spatial or temporal scope.

Composition

A presented DDH credential is composed of: (a) the digest itself; (b) a reference to the anchor-issued nonce that contributed to the entropy basis; (c) the payload digest to which the credential is bound; (d) a chain-link proof demonstrating that the digest is a valid successor of the device-thread's prior committed DDH; and (e) a timestamp drawn from the anchor's monotonic clock. The five components are concatenated and presented atomically; partial presentations are rejected.

The anchor's continuity record is composed of: (i) the device-thread identifier (which is itself derived from the genesis DDH and carries no externally meaningful identity); (ii) the most recent committed chain root; (iii) a pruning horizon indicating how far back individual links remain individually verifiable; (iv) a trust-weight accumulator updated on each successful authorization; and (v) a divergence log recording any detected fork or replay attempt. The divergence log is append-only and is exposed to auditors operating under their own credentialed access.

The credential composition is deliberately minimal. There is no certificate, no enrollment artifact, no long-lived public key, and no out-of-band identity binding. Everything required to authenticate a presentation is contained in the presentation itself, validated against the anchor's continuity record, and discarded once the session closes.

Prior-Art Differentiation

Conventional device authentication relies on persistent secrets: client certificates issued at enrollment, private keys provisioned to a TEE, shared symmetric keys negotiated through PKI, or device-fingerprinting heuristics that aggregate stable device characteristics. Each of these approaches treats identity as a property of stored material, and each suffers the corresponding failure modes: theft of the stored material, compromise of the issuing authority, or correlation attacks against the fingerprint.

Hardware-attestation schemes such as TPM-based remote attestation reduce the theft surface by binding the secret to silicon, but they preserve the underlying model in which authentication is a property of a long-lived key. They do not, by themselves, produce a per-session, payload-bound, tamper-evident credential whose validity decays as the device's entropy evolves.

One-time-password schemes rotate credentials but rely on a pre-shared seed and a synchronized counter, neither of which the present mechanism requires. Token-binding protocols bind a session token to a TLS channel but do not bind a credential to a specific payload nor to a device-thread continuity chain. Decentralized-identifier frameworks shift control of identifiers to the holder but typically retain a long-lived signing key as the authoritative credential.

The mechanism specified here differs in that the credential is intrinsically volatile, intrinsically per-session, intrinsically payload-bound, and intrinsically tamper-evident through the continuity chain. It does not require an enrollment ceremony, a credential database, or a revocation infrastructure. Compromise of a presented hash yields a value that is already decaying; compromise of a device-thread yields a divergence that is structurally observable.

Disclosure Scope

This disclosure encompasses the dynamic device hash mechanism as specified above, including the extractor function and its entropy basis, the per-session rotation discipline, the payload-binding construction, the continuity-chain commitment scheme operated by the index anchor, the tamper-evidence properties that follow from chain divergence detection, and each of the alternative embodiments enumerated. The scope further encompasses the credential composition and the anchor-side continuity record composition, including the trust-weight accumulator and the divergence log.

The disclosure is not limited to any particular cryptographic suite, digest length, or hardware platform. It is not limited to any particular index topology or anchor governance arrangement. It is not limited to any particular application domain; the mechanism is applicable wherever index access must be authorized per session, per device, and per payload, with tamper-evident records preserved for audit.

The mechanism is disclosed as a component of the broader adaptive network framework (US 19/326,036), which provides the surrounding governance, indexing, and credentialing primitives within which the dynamic device hash operates as the device-authentication layer. Use of the mechanism outside the disclosed framework remains within the scope of the disclosure to the extent that the claimed structural properties (volatility, per-session rotation, payload binding, tamper-evidence, continuity chaining) are preserved.