Mechanism
Biometric-assisted reseeding is an optional source of fresh, non-exported unpredictability used during entropy anchor rotation. It does not exist as a standalone protocol. In the disclosed system, identity is expressed as a trust slope: a cumulatively validated sequence of dynamic agent hashes or dynamic device hashes formed by successive verifiable mutations, where each step binds to the prior step and to a source of local unpredictability. To maintain long-term health of that process, the system periodically regenerates an entropy anchor and reinitializes the slope. Biometric capture is one permitted contributor of unpredictability to that reseed operation, composing with the hardware-anchor and local-state sources rather than replacing them.
The rotation in which reseeding occurs is driven by a slope health monitor. The monitor evaluates indicators of staleness, including elapsed-epoch thresholds, drift or cadence anomalies in observed successors, entropy reuse heuristics, trust degradation events, or compromise signals emitted by the substrate. When a monitored condition satisfies local policy, a staleness determination triggers reseeding. Reseeding is therefore a policy-conditioned event, not a fixed schedule, and the triggers are the monitored staleness indicators the specification enumerates, not a separate time interval or operation budget.
The Reseed Operation
On a staleness determination, a reseed command initiates generation of a new entropy anchor and a corresponding new initial identity, which is the slope root for the next epoch. The new initial identity is computed under the same update rule used throughout the disclosure, with a versioned domain separator that distinguishes anchor epochs. Because the same update rule and the same permitted unpredictability sources are used across epochs, verification of the post-rotation slope remains uniform with verification of any other slope segment.
Where the entropy source is hardware-anchored, the new anchor is derived from a keyed function applied to a static hardware identifier and a fresh volatile salt. Where the source is local-state, the anchor is derived from a stability-tuned local state vector processed by a strong extractor. Hybrid embodiments combine both contributions in the same step. The biometric path supplies an additional contribution to the reseed command and composes with either of these source embodiments.
The Biometric Path
In the biometric-assisted path, a biometric capture, for example a fingerprint, voiceprint, retinal, gait, or behavioral feature, is pre-processed and transformed by a privacy-preserving fuzzy extractor to yield a bounded seed. Optional liveness verification may be applied. The bounded seed is used only locally to derive or augment the new anchor for the reseed command, contributing additional non-exported unpredictability. The specification names these stages directly; it does not specify a particular secure-sketch code family, a helper-data size, a seed bit-length, or a per-modality entropy floor, so this article asserts none.
The defining constraint is non-export. The biometric seed is never stored or exported in raw form. The capture is consumed locally into the bounded seed and used only to contribute unpredictability to the anchor derivation. This is what makes the path privacy-preserving in the specification's framing: the system gains fresh local entropy without retaining biometric material that could be correlated or exfiltrated.
Augment, Never Replace
The specification is explicit that optional biometric reseeding augments, but never replaces, the hardware-anchor and local-state unpredictability sources, and that it is confined to privacy-preserving fuzzy extractors with liveness verification. The biometric contribution is therefore additive: it raises the freshness of a reseed by mixing in non-exported unpredictability derived from a live biometric, while the underlying anchor still draws on a hardware anchor with volatile salt, a local-state vector through an extractor, or a hybrid of both. A deployment that omits the biometric path loses nothing structural; a deployment that uses it gains an additional, locally controlled entropy contribution at rotation time.
Continuity Across the Rotation
Reseeding establishes a new epoch, so the specification preserves verifiability across the transition with a forward link. The forward link is recorded to bind the terminal value of the prior anchor epoch to the new initial identity. Downstream verifiers use it to reconcile pre-rotation and post-rotation segments under policy, without requiring global coordination or persistent registries. This is the actual continuity primitive disclosed for rotation: a recorded forward link between the old epoch's terminal value and the new initial identity, not a separately defined hash of old and new seeds together with a timestamp and context.
A verifier that encounters a rotated identity requests or receives bounded proofs that include the forward link and the new initial identity. It then replays successors along the new slope and confirms that the new epoch opens to the prior epoch through the forward link in accordance with policy. Rotation policy governs how prior epochs are treated: the pre-rotation slope may be made read-only and excluded from future successor validation, marked for archival, and protected by replay-prevention rules that reject reuse of identifiers from the retired epoch. In another embodiment, a grace window permits parallel acceptance of both epochs solely for bridging proofs that open through the recorded forward link.
Composition With the Rest of the System
Because the new initial identity is computed under the same update rule with a versioned domain separator, the reseeded slope composes transparently with the verification mechanisms used elsewhere in the system. Slope validation, append-only mutation lineage, delayed and sparse verification, and entanglement of agent mutations with the executing host's device identity all proceed uniformly across the anchor boundary, since the post-rotation slope is just another segment validated by monotonic continuity from a trusted point.
The biometric path inherits the system's source-agnostic posture. The verification process is neutral to the unpredictability source employed: hardware-anchor embodiments enforce freshness through non-repeating salts, local-state embodiments through stability-tuned extractor outputs, and the biometric contribution feeds the same reseed command without introducing a public-key primitive. Identity formation continues to depend on local unpredictability and hash-based commitments rather than algebraic assumptions vulnerable to Shor-type quantum attacks, so adding biometric-derived entropy at rotation does not alter the post-quantum posture.
Distinction From Stored-Template Biometrics
Conventional biometric authentication stores a template and matches incoming captures against the store. The disclosed path stores no template: the capture is transformed by a privacy-preserving fuzzy extractor into a bounded seed that is never stored or exported in raw form, and the seed is used only to augment a reseed operation. The biometric here is not an identity of record; it is a transient, locally consumed contributor of unpredictability to entropy anchor rotation.
The path is also distinct from biometric key derivation used as a standalone credential. In this system the biometric never produces the operative identity on its own. The operative identity remains the trust slope, advanced by the disclosed update rule from hardware-anchor, local-state, or hybrid unpredictability, with the biometric contribution confined to augmenting the anchor at rotation and confined to privacy-preserving fuzzy extractors with optional liveness verification.
Disclosure Scope
Biometric-assisted reseeding, as the optional contribution of local unpredictability derived from a biometric capture through a privacy-preserving fuzzy extractor with optional liveness verification, used only to augment entropy anchor rotation and never exported in raw form, is disclosed in U.S. Application No. 19/388,580 in the description of entropy anchor rotation and adaptive slope reinitialization. This article describes that disclosed mechanism: the slope health monitor and staleness determination that trigger a reseed command, the generation of a new entropy anchor and new initial identity under the same update rule with a versioned domain separator, the biometric capture and fuzzy extractor that yield a bounded seed, the composition of that seed with hardware-anchor and local-state sources, and the forward link that binds the prior epoch's terminal value to the new initial identity so verifiers can bridge pre-rotation and post-rotation segments under policy.
The scope covers any biometric modality whose capture is reduced to a bounded seed by a privacy-preserving fuzzy extractor and never exported, with or without liveness verification, composing with hardware-anchored, local-state, and hybrid entropy sources, and reconciled across the rotation by a recorded forward link with read-only retirement of the prior epoch or a grace window for bridging proofs. The scope excludes embodiments that store or export raw biometric material, embodiments in which the biometric replaces rather than augments the hardware-anchor or local-state sources, and embodiments in which continuity across rotation is established by a public-key primitive rather than by the disclosed hash-based forward link. The article asserts no seed lengths, helper-data sizes, entropy floors, rotation intervals, or operation budgets, because the specification states none for this path.
