Pseudonymous Propagation: Recognition by Slope Rather Than Global Identifier

Mechanism

Pseudonymous propagation begins when a workload is admitted at an originating substrate and assigned a propagation handle. The handle is not a globally registered identifier, nor is it a stable cryptographic key bound to a single principal. It is a derived token computed from the workload's declared role, its current lineage hash, and a propagation salt issued by the originating zone. Because the salt is rotated on each propagation step, the handle observed at one substrate is not equal to the handle observed at the next, even when the underlying workload has not changed. An external observer monitoring traffic between substrates sees a sequence of handles that are pairwise unlinkable without knowledge of the rotation discipline. The handle therefore performs the function of a routing label without performing the function of an identity, and intermediate substrates can address the workload, queue it, replicate it, and forward it without ever participating in identity-bearing operations.

Recognition is performed by slope comparison. Each substrate that receives a propagated workload computes the differential between the previous declared posture, embedded in the workload envelope as a signed slope record, and the posture declared at receipt. The slope record encodes the rate of change in declared capability, governance scope, and lineage depth, expressed as a vector over a small fixed set of dimensions. Two consecutive slope records that agree, within tolerance, on the expected differential are accepted as continuous; a slope discontinuity, such as an unexpected jump in declared capability or a regression in lineage depth, is treated as a propagation fault and the workload is refused. The slope abstraction allows recognition to be performed structurally rather than nominally: the receiving substrate is not asking "is this the same workload I saw before" but rather "is the trajectory I observe consistent with a continuation of a workload of this declared character." That distinction is what permits unlinkability and recognition to coexist within the same primitive.

Identity binding is deferred to the consumption point. Intermediate substrates that merely forward, replicate, or stage the workload never resolve the pseudonymous handle to a real principal. They evaluate slope continuity, attest the propagation step, and append a signed receipt to the workload's lineage chain. Only the consuming substrate, the one that intends to execute, settle, or render an externally observable effect from the workload, performs the binding step. Binding consults the originating zone's resolution service, presents the full lineage chain, and receives back the canonical principal record together with a use-once binding token. Once binding is performed, the binding event is itself appended to the lineage chain, sealing the trajectory. A consequence of this design is that the population of nodes that ever hold identity-bearing material is restricted to a small, auditable set of resolution services and bona fide consumers; the much larger population of routing, caching, and replication intermediaries handles only handles, slope records, and lineage roots.

Tamper evidence is provided by an append-only Merkle-structured lineage chain that travels with the workload. Each propagation step contributes a signed entry containing the previous root hash, the current slope record, the handle in use at that step, and the substrate's attestation key identifier. Any modification to a prior entry invalidates all subsequent roots. Because the chain travels with the workload rather than residing in a central registry, verification does not require contacting an external authority and remains possible across network partitions, offline replays, and cold-storage forensic review. The chain's locality is significant: it transforms propagation auditability from a property of a service into a property of the artifact itself, so that a workload recovered from an archived medium years after the fact still carries within it the cryptographic record of how it travelled.

The mechanism composes with the platform's broader admission and migration controls. A workload that fails slope continuity is not silently dropped; it is quarantined into a refusal queue with its lineage intact, so that the originating zone can later determine whether the discontinuity reflects a benign reconfiguration, a misrouted hop, or an active tampering attempt. Refusal events are themselves cryptographically committed, ensuring that an adversary cannot suppress evidence of a failed propagation by triggering a refusal at a controlled intermediate node. Quarantine queues are scoped per zone and per refusal class, so operators can distinguish, in their post-incident review, between propagation faults that arose from upstream substrate misbehaviour and those that arose from the workload's own envelope inconsistency. The refusal pathway is therefore not a dead end but a diagnostic surface, and one that an adversary cannot shape to their advantage because the cryptographic commitments associated with refusal travel back along the lineage chain.

A further property of the mechanism is that it is symmetric with respect to direction. The same handle-derivation, slope-record, and binding-deferral discipline applies to forward propagation, return propagation, and cross-zone replies. A response that traverses the substrate fabric does so under the same pseudonymous regime as the request that elicited it, and the lineage chain accumulates entries on the return path just as it did on the outbound path. This symmetry is what permits an end-to-end audit, in which the verifier observes a closed loop of propagation, recognition, binding, and reply, all without any intermediate substrate having held identity-bearing material at any point.

Operating Parameters

The propagation salt rotation interval is a tunable parameter bounded by the expected propagation latency between substrates. In typical deployments the salt is rotated once per propagation hop, ensuring strict pairwise unlinkability of handles. In bandwidth-constrained or batch-oriented environments the rotation may be coarsened to a window of several hops, trading observability resistance for reduced cryptographic overhead. The platform refuses to operate with a rotation window that exceeds the deployment's declared trust horizon for the intermediate substrates. Operators configuring the salt regime must articulate, as part of the deployment manifest, the threat model under which the chosen window is acceptable, and the platform records that articulation as part of the zone configuration.

Slope tolerance is expressed as a bounded vector norm over the capability, governance, and lineage-depth dimensions. The default tolerance permits monotonic growth in lineage depth, monotonic non-expansion in capability scope, and zero deviation in governance scope. Deployments that require capability narrowing as a workload approaches a sensitive zone can configure a strictly contracting capability profile; deployments that operate across federated administrative domains can configure dimension-specific tolerances that reflect the negotiated posture between domains. The tolerance vector is itself a signed artifact of the zone configuration, so that a verifier replaying a propagation history can confirm not only whether each slope step was within tolerance but also whether the tolerance applied at the time of propagation was consistent with the published zone posture.

Lineage chain depth is bounded by a deployment-level maximum. When a workload approaches the maximum depth, the platform performs a lineage compaction step in which a contiguous prefix of entries is replaced by a signed summary entry that preserves the cryptographic root and the salient slope statistics. Compaction is performed only by substrates designated as compaction authorities for the originating zone, and the compaction event is itself recorded. Compaction therefore behaves as a controlled erasure: the granular hop-by-hop record is condensed, but the cryptographic continuity of the chain is preserved, and the act of condensation is itself part of the chain. Verifiers that require the granular form can request, via the zone's resolution service, a sealed expansion of a compacted prefix, subject to authorisation policy.

Binding-token lifetimes are short and use-once. The default is a single-use token valid for a configurable seconds-scale window after issuance, sufficient for the consuming substrate to perform a single execution or settlement and no more. Replay of a spent binding token is detected at the resolution service and triggers a propagation fault that is reflected back into the workload's lineage chain. The use-once discipline ensures that a compromised consuming substrate cannot accumulate binding capability over time; each consumption requires a fresh resolution event, and each fresh resolution event is observable to the originating zone's audit pathway.

Attestation keys used by intermediate substrates are scoped per zone and rotated on a schedule independent of the propagation salt. Key rotation events are published into the lineage verification path so that a verifier replaying an old chain can resolve historical attestations against the keys that were valid at the time of signing. The independence of these rotation schedules is deliberate: it prevents a single rotation event from invalidating both the unlinkability properties and the verifiability properties of in-flight workloads, and it allows operators to respond to a suspected key compromise without disturbing the salt regime that governs handle unlinkability.

Resolution-service availability is treated as a deployment parameter rather than a precondition. The platform tolerates transient unavailability of the resolution service by allowing intermediate propagation to continue while gating consumption. Workloads may travel arbitrarily far through the substrate fabric while resolution is unavailable, but they cannot be bound to a principal, and therefore cannot produce externally observable effects, until resolution returns. This separation of propagation availability from binding availability is what makes the mechanism suitable for partition-tolerant and intermittently connected deployments.

Alternative Embodiments

In a first alternative embodiment, the slope record is computed over a richer dimensional space that includes declared data sensitivity, expected residency zone, and a vector of policy obligations. This embodiment is appropriate where workloads cross between administrative domains with materially different obligation profiles, and where slope continuity must capture the negotiated obligation envelope rather than only the structural posture. The richer dimensional space increases the discriminating power of the slope check at the cost of requiring inter-domain agreement on dimension semantics, and the disclosure contemplates a registration mechanism by which participating domains publish their dimension definitions in a manner that participating substrates can consume.

In a second embodiment, the propagation handle is constructed as a verifiable random function output over the lineage hash and a domain-separated tag, rather than as a salted derivation. This permits a verifier to confirm, given the lineage hash and a public verification key, that a sequence of handles was produced by the same canonical workload, while preserving unlinkability against parties who lack the verification key. The verifiable-random-function variant is particularly useful in deployments where a trusted auditor is granted retrospective linkability without intermediates being granted real-time linkability.

In a third embodiment, identity binding is performed in a threshold manner across multiple resolution services, each holding a share of the canonical principal record. The consuming substrate must collect a threshold of shares to obtain the binding, ensuring that no single resolution service can unilaterally deanonymise propagating workloads. The threshold variant is suited to multi-party deployments in which the originating zone, the operator of the substrate fabric, and an independent oversight body each hold a share, and binding therefore requires concurrence among parties whose interests are not fully aligned.

In a fourth embodiment, the lineage chain is replicated into a witness service that is contractually prohibited from performing identity resolution but is permitted to publish chain roots. This embodiment serves regulated deployments in which a third-party witness is required to attest that propagation occurred, without that witness being granted any identity-bearing capability. The witness service publishes only Merkle roots and timestamps, providing an external anchor for the chain's existence without participating in resolution.

In a fifth embodiment, slope evaluation is delegated to a co-located policy engine that imports the slope record and emits an accept, refuse, or quarantine verdict together with a signed reasoning trace. The reasoning trace is appended to the lineage chain and supports later audit of why a particular propagation step was admitted. Delegation to a policy engine permits operators to express slope tolerances as declarative policy rather than as numeric vectors, and to evolve those policies independently of the platform's core code path.

In a sixth embodiment, the platform supports a degraded mode in which slope records are unavailable, for example when interoperating with a legacy substrate that does not emit them. In this mode the workload is admitted only into a constrained execution envelope that prohibits external effects and forces full re-attestation at the next compliant substrate. The degraded mode is not a fallback in the sense of relaxed security; it is a constrained mode in the sense of reduced capability, designed so that interoperability with non-conforming substrates does not erode the platform's invariants for conforming ones.

In a seventh embodiment, the propagation handle and the slope record are bound together cryptographically such that the slope record cannot be replayed against a different handle. This binding closes a class of cut-and-paste attacks in which an adversary attempts to fabricate a workload whose handle is fresh but whose slope record was captured from a legitimate prior workload. The bound construction makes such reuse detectable at the next substrate.

Composition With the Cognition-Native Execution Platform

Pseudonymous propagation is not a standalone protocol layered above the platform; it is a structural primitive that interlocks with the platform's admission, migration, and consumption mechanisms. The structural validator described elsewhere in this disclosure inspects, at admission time, that a workload entering a zone carries a well-formed lineage chain and a slope record whose continuity is verifiable. Workloads that lack these elements are refused at admission, ensuring that pseudonymous propagation cannot be bypassed by smuggling a workload through an alternative ingress path. The validator and the propagation primitive therefore enforce a two-sided constraint: the propagation primitive ensures that conforming workloads carry the necessary structures, and the validator ensures that no workload lacking those structures can enter the protected substrate.

Zone migration consumes the lineage chain produced by propagation as part of its cryptographic handoff protocol. When a workload migrates between zones, the migration handoff includes a signed transition record that references the most recent lineage root, ensuring that the post-migration chain is a strict extension of the pre-migration chain. This composition prevents an adversary from reconstructing a workload at a target zone with a forged history, and it allows post-migration verifiers to walk the chain across the migration boundary without special-casing the transition. The cryptographic handoff and the propagation chain are therefore two facets of a single auditable trajectory.

The consumption-point binding interacts with the platform's deterministic evaluation discipline. Because evaluation outcomes depend on the bound principal record and on the lineage chain's accumulated slope, two evaluators presented with the same workload and the same binding result reach the same verdict. This determinism is required for the platform's broader guarantees of replayable, partition-tolerant execution. It is also what makes the propagation primitive composable with the platform's settlement layer: a settlement event can be verified against the same lineage chain that governed the propagation, and any attempt to settle on the basis of a divergent chain is detectable.

Lineage entries produced by propagation are visible to the platform's audit and governance subsystems through a uniform export interface. Auditors can replay a workload's full propagation history, verify slope continuity offline, and detect any divergence between the declared trajectory and the recorded one without being granted identity-resolving capability. This separation of audit capability from resolution capability is the operational realisation of the disclosure's central claim: that recognition and identity are distinct, and that the platform need only grant the lesser capability to most parties while reserving the greater for a small set of consumers and resolvers.

Prior-Art Distinction

Conventional pseudonymous communication systems, such as mix networks and onion-routed overlays, achieve unlinkability between sender and receiver through traffic-level transformations but do not bind an evolving workload posture to the propagation path. They treat the payload as opaque and provide no mechanism by which an intermediate substrate can refuse a payload whose declared trajectory has become structurally inconsistent. The mechanism disclosed here departs from this approach by making slope continuity a first-class admission condition, so that intermediate substrates can refuse workloads on structural grounds without ever inspecting payload semantics or resolving identity.

Conventional capability-token systems, such as bearer-token authorisation in distributed service meshes, bind a token to a principal at issuance and rely on the token's secrecy for unlinkability. Compromise of the token compromises the linkage, and intermediate services that handle the token observe its identity-bearing form. The disclosed mechanism inverts this property: intermediates handle handles that are derived per hop and never observe the canonical principal record, so that compromise of any number of intermediates does not compromise the linkage between propagating workloads and their canonical principals.

Conventional supply-chain attestation frameworks, such as those used for software artifact provenance, produce signed lineage records but typically resolve the artifact's identity at every verification step. They do not separate propagation from binding, and they do not define a slope-continuity discipline by which an intermediate verifier can refuse a workload without resolving identity. Their lineage records function as audit logs rather than as admission gates, and they assume a single trust authority at the top of the chain rather than a multi-zone federation.

Conventional anonymous credential systems support unlinkable presentations of attribute claims but do not propagate a stateful workload across substrates with a tamper-evident trajectory. They address the disclosure question at presentation time, not the propagation question across a multi-hop substrate fabric. They are compatible with, but distinct from, the propagation primitive disclosed here, and they could in principle be used as the underlying credential mechanism for the binding step without altering the propagation primitive itself.

Conventional content-addressed storage systems achieve unlinkability of access patterns through hash-based addressing but do not propagate evolving workloads, do not capture trajectory, and do not provide a refusal pathway for structurally inconsistent updates. The disclosed mechanism is concerned with the propagation of workloads that change as they travel, and the slope discipline addresses precisely the regime that content-addressing does not.

The disclosed mechanism distinguishes itself from each of these prior approaches by integrating four properties simultaneously: per-hop unlinkable handles, slope-based recognition without identity resolution, deferred binding at consumption, and tamper-evident lineage that travels with the workload. No prior system combines these properties as structural primitives of the execution substrate.

Disclosure Scope

This disclosure is directed to pseudonymous propagation as a structural primitive of the cognition-native execution platform described in US 19/230,933. The scope of the disclosure includes the construction of propagation handles, the slope-record format and its tolerance discipline, the lineage chain structure and its compaction rules, the deferred binding protocol with its use-once token semantics, and the integration of these elements with admission, migration, and consumption flows.

The disclosure is not limited to any particular cryptographic primitive for handle derivation, signature, or chain commitment. It is not limited to a particular slope dimensionality, tolerance metric, or compaction policy. It is not limited to a particular substrate topology and is intended to apply equally to centralised cloud deployments, federated multi-party deployments, and intermittently connected edge deployments. The disclosure is similarly agnostic with respect to the transport that carries propagating workloads between substrates, and applies equally to message-passing, shared-store, and stream-replication transports.

The disclosure expressly contemplates the alternative embodiments enumerated above and any combination of them that is not internally inconsistent. The disclosure further contemplates degraded-mode operation, threshold and witness variants, and policy-engine delegation, each as embodiments within the scope of the disclosed mechanism. Combinations such as threshold binding with witness replication and policy-engine delegation are within scope, as are deployments that adopt different combinations in different zones of a single federated substrate.

The disclosure is bounded by the requirement that propagation, recognition, and binding operate as deterministic structural properties of the execution substrate, rather than as advisory protocols layered above it. Implementations that relegate any of these properties to optional middleware fall outside the disclosed scope. Implementations that retain the structural character of the primitive while varying its constituent algorithms remain within scope.