DAH-DDH Slope Entanglement: Binding Agent Identity to Host Device Lineage

Mechanism

The Device Authority Hash is constructed at device provisioning time by combining a hardware-rooted identity, the device's role declaration within the execution platform, and the public material of the keys entitled to act on the device's behalf. The DAH is signed by the authority that provisioned the device and is committed to the platform's authority lineage so that any participant may verify that a given DAH belongs to a device known to the platform. The DAH changes only on substantive events — re-provisioning, role change, key rotation — and each such change is itself a signed lineage event referring to the prior DAH.

The Dynamic Device Hash is constructed continuously from the device's runtime state. Inputs include the measured boot chain, the loaded execution images and their versions, the active configuration, the current values of attested counters, and any auxiliary measurements the platform requires for its security posture. The DDH is recomputed at policy-defined intervals and on policy-defined events, and each recomputation produces a signed measurement record that is itself committed to a measurement lineage maintained by the device.

Slope entanglement combines the two hashes into a single artifact that no operation against the device may bypass. The entanglement is not a simple concatenation: it is a structured commitment in which the current DAH and the current DDH are bound together with a slope record that captures the rate and direction of recent change in the DDH against the fixed reference of the DAH. The slope record encodes how the device's runtime state has been evolving, and the entangled artifact is verifiable only when both the DAH and the DDH are presented together with a slope record consistent with both.

A verifier receiving an operation request resolves the entangled artifact in three steps. First, the DAH is verified against the platform's authority lineage, establishing that the requesting device is known and entitled to its role. Second, the DDH is verified against the device's measurement lineage, establishing that the device's runtime state matches a measurement the device itself has signed and committed. Third, the slope record is verified against both lineages, establishing that the trajectory of the DDH between successive measurements is consistent with the DAH-defined expectation for the device's class and role. Failure of any step rejects the operation.

Atomic rotation is the property that ensures no operation may be authorized against a stale half of the entangled artifact. A rotation event — driven by either a DAH change or a DDH recomputation — produces a single committed transition in which both halves and the slope record are updated together. The platform does not admit a window in which the new DAH is in effect while the DDH still references the prior authority, nor a window in which a new DDH is published without an accompanying entanglement record consistent with the current DAH. This atomicity is enforced by the substrate's commit protocol, which writes the entangled record only when all three components verify together.

Off-substrate mutation — modification of the device's state by means that bypass the measurement chain — is detected because such mutation produces a DDH that does not match the device's measurement lineage, or a slope record that is inconsistent with the device's recent trajectory. The verifier rejects operations supported by such artifacts even if the DAH itself remains valid. Conversely, an attacker that compromises a device's runtime cannot fabricate a valid entangled artifact without also compromising the keys that sign measurement records, the keys that signed the DAH, and the lineages to which both are committed.

Operating Parameters

The recomputation interval for the DDH is a policy parameter and is typically configured between seconds and minutes depending on the operation classes the device supports. Devices that perform high-risk operations carry shorter intervals; devices in long-running steady state may carry longer intervals. The interval is itself committed to the device's measurement lineage so that a verifier can determine whether a given DDH is fresh enough for the operation it accompanies.

The slope record encodes a bounded window of recent DDH transitions. The window length is a policy parameter and is typically chosen to span several recomputation intervals, so that the slope reflects a trend rather than a single transition. The slope's representation may be a sequence of measurement deltas, a Merkle path through recent measurements, or a summary statistic derived from the recent trajectory; the choice is configurable and is itself committed to the lineage.

Rotation cost is dominated by the signature operations required to sign the new DAH or DDH and to bind the new entangled artifact. Devices with hardware signature acceleration may rotate the DDH at sub-second intervals; devices without acceleration carry longer intervals. The platform's commit protocol is structured so that rotation is constant-cost in the size of the lineage and linear-cost in the size of the slope window.

Verification cost is dominated by the lineage path verification required to anchor the DAH and the DDH to their respective lineages. For verifiers that perform repeated operations against the same device, a cache of the most recent verified lineage tip reduces this cost to verification of the delta since the last operation. The verifier is not required to retain device state between operations and may treat each operation as a fresh verification when desired.

Failure modes are explicit. A missing DDH is treated as a failed verification rather than as an absent constraint; a missing slope record is similarly disqualifying. A DDH whose measurement lineage cannot be retrieved is treated as failing rather than as deferred. The construction is biased toward refusal in the face of incomplete material, and this bias is structural rather than configurable.

Recovery from key compromise is performed by issuing a new DAH that revokes the compromised material and committing the transition to the authority lineage. Operations against the device under the compromised DAH cease to verify at the moment the new DAH takes effect, and operations under the new DAH require a fresh DDH and slope record consistent with the new authority. The recovery is itself a lineage event and is auditable after the fact.

Alternative Embodiments

In a first alternative embodiment the entanglement is realized as a single hash function over the concatenation of DAH, DDH, and slope record, with the function chosen so that any tampering with any component produces a detectable change in the output. This embodiment minimizes the size of the entangled artifact at the cost of requiring all three components to be presented together for verification.

In a second alternative embodiment the entanglement is realized as a Merkle root whose leaves are the DAH, the DDH, and each element of the slope record. A verifier may verify any subset of the components by presenting the corresponding Merkle paths, and operations may carry only the subset relevant to their authorization. This embodiment supports finer-grained verification at the cost of a larger artifact when full verification is required.

In a third alternative embodiment the slope record is replaced by a signed proof that the trajectory of the DDH falls within a policy-defined envelope, and the verifier checks the proof rather than reconstructing the trajectory. This embodiment reduces verifier-side work at the cost of a more complex prover-side protocol.

In a fourth alternative embodiment the DDH is computed by a hardware enclave or trusted platform module whose output is directly signed by a hardware-rooted key, and the entanglement binds the enclave's signature to the DAH-bound authority. This embodiment provides stronger resistance to off-substrate mutation at the cost of requiring suitable hardware on every host device.

In a fifth alternative embodiment the DAH is itself a vector representing the device's standing under multiple distinct authorities — for example, a manufacturer authority, an operator authority, and a regulator authority — with each component independently lineage-committed. The entangled artifact then binds the DDH to the relevant subset of authorities for the operation in question. This embodiment supports devices that operate under overlapping but non-identical governance regimes.

In a sixth alternative embodiment the recomputation interval for the DDH is itself dynamic, shortening on detection of anomalous trajectory and lengthening when the trajectory is stable. The interval is governed by a policy attached to the DAH and is itself part of the lineage, so that the operating regime of a device may evolve while remaining auditable.

Composition

DAH-DDH entanglement composes with the platform's authority lineage in that the DAH is itself a node in that lineage, and any change to the DAH is a transition in that lineage. The platform's authority structure therefore extends naturally to govern the entanglement, and policies that act on the lineage — for example, rotation schedules, revocation procedures, or escalation rules — act transitively on the entangled artifact.

The entanglement composes with the device's measurement lineage in that the DDH is the tip of that lineage at the moment of entanglement, and the slope record is a summary of recent transitions. A reviewer reading the device's measurement lineage may reconstruct, after the fact, exactly which DDH was in effect at any past moment and which DAH it was entangled with at that moment.

The entanglement composes with the platform's eligibility evaluation: the entangled artifact is an input to the determination of whether an operation may proceed, and the eligibility indicator advertised by an object touching the device may itself reference the entanglement. A consumer reading the indicator therefore observes, transitively, the device's entangled state without reading the DAH or DDH directly.

The entanglement composes with cross-device protocols in that operations spanning multiple devices carry the entangled artifact of each participant, and the protocol's verification is the conjunction of the per-device verifications. The composition is associative: protocols built from sub-protocols inherit the verification surface of the sub-protocols without modification.

Distinction Over Prior Art

Conventional device identity systems anchor authority in a long-lived certificate or hardware key and rely on a separate attestation protocol to convey runtime state. The two are presented to verifiers as independent artifacts and are typically verified independently. The construction differs in that the authority hash and the dynamic measurement hash are bound into a single entangled artifact whose verification is jointly conditional on both, so that no operation may be authorized against either alone.

Conventional remote attestation protocols produce point-in-time measurements signed by a hardware root of trust. The measurements are typically scalar — a current state — and do not encode trajectory. The construction differs in that the slope record encodes the trajectory of the DDH over a bounded window, allowing verifiers to detect anomalous trends as well as anomalous endpoints.

Conventional rotation protocols for device credentials require an interval during which both the old credential and the new credential are simultaneously valid, to allow in-flight operations to complete. The construction differs in that rotation of the DAH or the DDH is performed atomically with respect to the entanglement: there is no interval in which one half is current and the other is stale, and operations that arrive during a rotation either verify against the prior entangled artifact or against the new one but never against a hybrid.

Conventional approaches that combine identity and runtime state typically do so by signing the runtime state with the identity key, producing a signed assertion that is verifiable but not itself a state. The construction differs in that the entangled artifact is a state — a substrate-resident object that is recomputed and committed as the device evolves — rather than an assertion, so that consumers read it rather than receive it.

Disclosure Scope

The disclosure encompasses any construction in which a long-lived device authority hash and a continuously evolving dynamic device hash are bound into a single entangled artifact whose verification is jointly conditional on both, where rotation of either hash is performed atomically with respect to the entanglement, and where the artifact is committed to one or more lineages such that off-substrate mutation produces a detectable inconsistency at verification time.

The disclosure is not limited to any particular hash function, signature scheme, or hardware root of trust. Implementations using elliptic curve signatures, post-quantum signatures, hash-based signatures, software-only roots, hardware enclaves, trusted platform modules, or combinations thereof fall within the scope so long as the entanglement preserves the joint verification property and the atomic rotation property. The disclosure is similarly not limited to any particular representation of the slope record.

The disclosure extends to systems in which the DAH represents authority under a single authority, multiple co-equal authorities, or a hierarchy of authorities, and to systems in which the DDH is computed at fixed intervals, on observed events, or on a dynamic schedule responsive to recent trajectory. The structural properties — joint verification, atomic rotation, lineage commitment, and detection of off-substrate mutation — are preserved across these configurations.

The disclosure further extends to deployments across centralized cloud infrastructure, federated multi-party environments, decentralized networks, and edge installations, and to hosts ranging from large servers to constrained embedded devices. The construction does not depend on the deployment topology, and its guarantees are properties of the entangled artifact and the protocol that maintains it rather than properties of the environment in which the protocol runs.