Multi-Identity Delegation Without Biological Data Disclosure

Mechanism

Each biological identity is represented to the system by a public commitment derived from the identity's biological signal under a one-way transform. The commitment is stable across verifications of the same identity but does not permit recovery of the underlying biological data. A capability is a record specifying an action class, a target scope, and a binding to one or more identity commitments authorized to invoke it. When identity A holds a capability and wishes to delegate it to identity B, A constructs a delegation token containing: the parent capability identifier, B's identity commitment, the bounded scope of the delegation (which must be a subset of A's capability scope), an expiration condition (typically a time horizon, an action count, or a context predicate), the current chain depth, and the maximum chain depth permitted by the parent capability.

A signs the delegation token under a key derived from a zero-knowledge proof that A presently satisfies the parent capability's identity binding. The proof attests possession of the biological identity that the parent capability authorizes without revealing the identity material itself. The signed token is delivered to B through any channel; B does not learn anything about A's biological data from receiving it. When B exercises the delegated capability, B presents the token together with B's own zero-knowledge proof of biological identity and a fresh signature binding the proof to the present action context.

The verifying system performs three checks. First, it verifies B's biological-identity proof against B's commitment. Second, it verifies the delegation token's signature against A's commitment and confirms that A presently satisfies (or satisfied at delegation time, depending on the capability's policy) the parent capability's identity binding. Third, it walks the chain: if the token's parent capability is itself a delegation token, the verifier recursively validates the parent's signature, the parent's scope envelope (the present token's scope must be a subset), and the parent's expiration condition. The walk continues until the chain reaches an originating capability grant whose binding is to an authority rather than to a delegation predecessor.

During the walk, the verifier tracks chain depth. Each delegation token carries the current depth and the maximum depth permitted by its parent. If at any point the current depth equals or exceeds the maximum, the token is marked terminal: it may be exercised by its named delegate, but it cannot be re-delegated. A token attempting to delegate from a terminal predecessor produces a chain whose depth field exceeds the predecessor's stated maximum, and the verifier rejects the chain as unverifiable. The depth limit is therefore enforced cryptographically rather than by policy alone: a forged extension would require forging a signature against an identity commitment the forger does not control.

The maximum depth field is itself signed at each link as part of the link's authenticated payload, and a child link's stated maximum cannot exceed the parent's stated maximum minus one. A delegator who wished to permit deeper re-delegation than the parent allows would have to alter the maximum-depth field of an upstream link, which would invalidate that link's signature and cause the chain walk to reject the chain at that point. The depth limit therefore composes monotonically: the originating capability sets the global ceiling, and every intermediate delegator can only narrow the permitted depth, never widen it.

Operating Parameters

Maximum chain depths are typically configured per capability class. High-assurance capabilities (medical power of attorney, financial signing authority, command authority) typically permit depth one or two; operational capabilities permit depth three to five; informational capabilities may permit larger depths. Expiration conditions are typically a combination of a wall-clock horizon (hours to weeks for operational delegations, longer for fiduciary delegations) and an action count (often single-digit to low-double-digit invocations before re-authorization is required). Scope subsetting is enforced lattice-style: each link's scope must be expressible as a meet of the parent's scope with an additional restriction predicate.

Zero-knowledge proof construction time is typically bounded in the tens-to-hundreds-of-milliseconds range for biometric commitments using current short-proof systems; verification time is typically in the single-digit-millisecond range. Chain walk cost grows linearly with chain depth, and the depth limit therefore bounds verification cost as well as authorization scope. Revocation is supported by the originating authority through a credentialed revocation observation that propagates to verifiers; a revoked predecessor invalidates all descendant tokens regardless of their independent expiration conditions.

Verifier policy may admit either freshness modes for the upstream identity proofs: strict freshness requires that every link in the chain present a fresh zero-knowledge proof of the relevant identity at exercise time, which is appropriate for high-assurance contexts but requires that all intermediate identities be reachable; cached freshness admits proofs generated at delegation time and stored in the chain link, which is appropriate for offline operation and for delegations whose intermediaries are not expected to be available at exercise time. The freshness mode is a per-capability declared parameter and is enforced uniformly by all verifiers operating under the same governance authority.

Alternative Embodiments

In a first alternative embodiment, the chain depth limit is uniform across all capabilities and configured at the system level rather than per capability. This embodiment simplifies policy management at the cost of coarser delegation control.

In a second alternative embodiment, the chain is recorded in a tamper-evident append-only log accessible to the verifying system; the verifier validates the chain by log inclusion proof rather than by walking signatures presented at exercise time. This embodiment supports auditability and revocation propagation in environments where reliable log access is available.

In a third alternative embodiment, the delegation token additionally binds to a context predicate (location, time-of-day, co-presence of a witness identity) that the verifier evaluates at exercise time; the delegate's authority is admitted only when the context predicate is satisfied. This embodiment supports situational delegations such as on-shift medical authority or in-theater command authority.

In a fourth alternative embodiment, the originating capability binds to a quorum of authority identities rather than a single authority; delegation tokens issued from such a capability require a threshold of authority signatures to be valid, and the chain walk verifies the threshold at the originating link. This embodiment supports multi-party-authorized capabilities such as joint signing authority.

Composition With the Wider Architecture

Multi-identity delegation composes with the biological-identity commitment layer that establishes per-identity public commitments without exposing biological material, with the zero-knowledge proof layer that authenticates identity presence without disclosure, with the capability-scoping layer that defines the lattice of authorization scopes, and with the revocation-broadcast layer that propagates credentialed revocation observations to verifiers. The structural property is that delegation does not require any new cryptographic primitive: it reuses the commitment, proof, and broadcast machinery already present for direct capability exercise and adds only the chain data structure and the depth-bounded walk.

The composition extends to audit and accountability. Each chain link is a self-contained signed record; an audit trail consists of the chain together with the per-exercise context signatures. Auditors verify accountability without learning any party's biological data. Compliance regimes that require provable separation of duties (no single identity's compromise yields broad authority) are supported by combining depth-limited chains with quorum-bound originating capabilities.

The composition further extends to cross-domain delegation. A capability granted under one governance authority may be delegated, through a bridge link signed by both authorities, into a chain whose subsequent links operate under a second authority's verifier. The bridge link records both authorities' commitments and reduces the maximum permitted depth by an amount declared in the bridge policy, so that cross-domain delegation is always strictly more constrained than within-domain delegation. Bridge links permit operational patterns such as inter-agency authorization, contractor-to-client delegation, and emergency mutual-aid authorization without requiring any party to operate outside its native governance authority.

Distinction From Prior Art

Conventional delegation systems based on attribute certificates, OAuth-style bearer tokens, or capability URLs do not bind to biological identity and therefore cannot enforce that the delegate is the human individual to whom delegation was intended; they bind to bearer possession or to public-key control, both of which are transferable independent of human identity. Conventional biometric authentication systems authenticate individual users but do not support delegation at all without exposing the biometric template or a derived secret. Conventional zero-knowledge identity schemes support direct authentication but do not specify a chain structure for transitive authorization with depth limits.

The disclosed architecture combines properties not jointly present in prior art: zero-knowledge biological identity proof at every link, a cryptographically-verifiable signed chain from exerciser to originator, scope-subsetting enforced lattice-style at each link, and a depth limit enforced by signature rather than by policy alone. The combination yields delegation that is biologically anchored, transitively verifiable, scope-bounded, and depth-bounded without disclosure of biological material to any party.

Disclosure Scope

This disclosure covers the mechanism by which a capability scoped to biological identity A is delegated to biological identity B for a bounded scope through a cryptographic chain that prevents re-delegation past a configured depth limit. The disclosure includes the delegation token structure, the chain walk, the depth-limit enforcement, the scope-subsetting rule, the revocation-propagation behavior, the freshness-mode policy, the bridge-link cross-domain composition, and the alternative embodiments described above. The disclosure does not claim any specific biometric modality, any specific zero-knowledge proof system, or any specific revocation transport; those elements are implementation choices left to the practitioner. The disclosure applies to identity domains in which a stable biological commitment can be derived under a one-way transform, including but not limited to face, fingerprint, iris, vascular, gait, voice, and multi-modal biometrics; the architectural property is independent of the modality and depends only on the commitment, proof, chain, and depth-limit machinery described.