Continuity-Identity Processor IC: Silicon-Block Embodiment

Mechanism

The IC integrates four functional blocks on a single die. A sensor-interface block conditions the incoming biological signal — heart-rhythm, gait, vocal-tract resonance, or any signal that carries a slowly-varying continuity — into a normalized digital stream. A locality-sensitive hash engine computes a hash whose Hamming distance to a successor hash, computed from a slightly-later sample of the same signal, is small with high probability when the underlying biology is the same and large when it is not. A signing block stamps the hash with a key bound to the die at fabrication. A controller orchestrates the three blocks and exposes a bounded external interface.

The locality-sensitive hash is the core primitive. Conventional cryptographic hashes are designed so that any input perturbation produces a maximally divergent output; this property is the wrong one for biological signals, which always carry sample-to-sample noise even when the underlying identity is unchanged. The locality-sensitive construction inverts the property: small input perturbations produce small output perturbations, while different underlying signals produce divergent outputs. The continuity test becomes a Hamming-distance comparison between successive hashes rather than an exact-match comparison.

The signing block binds the hash to the silicon. The signing key is generated inside the die at fabrication, never leaves the die, and is unreadable through any external interface. The signed hash carries a proof that the hash was computed by this specific die rather than by software claiming to be this die. Downstream verifiers consume the signature to bind the continuity claim to a hardware root.

The controller exposes a narrow interface: present a signal, receive a stamped hash. The interface does not expose the raw signal, the raw hash, or the signing key; it exposes only the stamped artifact. This narrowness is the structural property that makes the IC the trust boundary of the surrounding device.

Operating Parameters

Several parameters govern IC behavior. The hash dimension determines the output bit-width and the achievable resolution of the Hamming-distance comparison; higher dimensions improve discrimination at the cost of die area and per-stamp compute. The sensor sampling rate and the conditioning bandwidth jointly determine the temporal resolution of the continuity signal; both are set at fabrication for a given product variant, with a calibration register exposed for fine-tuning within a bounded range. The Hamming threshold below which two successive stamps are deemed continuous is set by the verifying authority rather than by the IC itself; the IC produces only the stamped hash and leaves the comparison to the verifier.

Stamp throughput is parametric. The signing block can be configured to stamp at the sensor rate, at a sub-sampled rate, or only on external request. Sensor-rate stamping produces the densest continuity record but consumes the most power; on-request stamping is appropriate for devices that produce identity attestations only at session boundaries.

Power and thermal envelopes are constrained by the deployment domain. An automotive variant operates across the full automotive temperature range and integrates with a vehicle's ECU power rail; a medical variant operates at the lower power envelope of an implantable or wearable; a defense variant integrates tamper-detect circuitry that zeroes the signing key on detected die tampering. The functional blocks are common across variants; the envelopes are not.

Lifecycle parameters govern the signing key's provenance. The key is generated inside the die during fabrication using on-die entropy; the public counterpart is exported once at die test and recorded in a vendor-attested registry. Subsequent attestations consult the registry to confirm that a signed stamp was produced by a known-good die. Key rotation is not supported by design: the key is the die, and a die that needs a new key needs a new die.

Alternative Embodiments

The IC may be embodied as a discrete chip in its own package, as an IP block integrated into a larger SoC, or as a chiplet in a multi-die package. The discrete embodiment is preferred where the surrounding device is assembled from multiple vendors' silicon and where the continuity-identity function must be sourced independently. The IP-block embodiment is preferred where the SoC vendor is also the system integrator and where die-area economics favor consolidation. The chiplet embodiment is preferred where the surrounding silicon process node is unsuitable for the analog sensor interface and the continuity-identity logic must be fabricated in a different node.

The locality-sensitive hash engine may be embodied as a dedicated combinational pipeline, as a programmable engine running a hash kernel from on-die ROM, or as a hybrid where the kernel is fixed in ROM but the parameters are loaded at boot. The fixed-pipeline embodiment minimizes power and area; the programmable embodiment supports kernel updates across product generations within a single mask set.

The signing block may be embodied around any signing primitive: ECDSA over a standard curve, EdDSA, or a post-quantum scheme. Migration between primitives is a successor-die concern; the IC's continuity logic is independent of the signing primitive. A multi-primitive embodiment, in which the signing block stamps with two primitives concurrently to cover a transition window, is also disclosed.

The sensor interface may be embodied for any biological signal that carries a continuity property. Variants are described for cardiac, gait, vocal, ocular, and dermal-electrical signals. The downstream blocks are common across variants; only the conditioning circuitry changes.

Composition

The IC composes upward with the keyless-identity protocol. The protocol consumes stamped hashes from the IC and assembles them into a continuity record that downstream verifiers consult. The IC is the protocol's hardware root; the protocol is the IC's deployment substrate. Neither is functional without the other in a production deployment.

The IC composes laterally with conventional secure elements. A device that contains a TPM, a secure enclave, or a secure microcontroller may also contain a continuity-identity IC; the two are not substitutes. The conventional secure element provides static key storage and signing primitives for the device's broader cryptographic needs; the continuity-identity IC provides the biology-bound continuity attestation that the conventional element cannot produce because it has no sensor interface and no locality-sensitive hash engine.

The IC composes downward with the silicon process technology. The functional blocks are technology-portable: any process node that supports the analog sensor interface and the digital hash and signing logic can host the IC. Process migration is a periodic concern of any silicon product; the IC's architecture does not constrain it.

Prior-Art Distinction

Conventional biometric chips capture a biological signal, extract a feature template, and compare the template against a stored enrollment. The comparison is the chip's output; the template itself is held inside the chip or in a paired secure store. The mechanism here does not extract a template, does not store an enrollment, and does not perform comparison on-die. It produces a stamped locality-sensitive hash whose continuity property is verified by external comparison against the stamp's predecessors. The absence of an enrolled template is the structural distinction: there is no enrollment to steal, replay, or substitute.

Conventional secure elements bind a static key to silicon and sign arbitrary external data with the key. The signing operation is correct but is independent of any biological reality; a software caller can present any data and obtain a signature. The mechanism here couples the signing operation to the on-die hash of an on-die-conditioned biological signal; the signed artifact is structurally inseparable from the biology that produced it. The coupling is what makes the artifact an identity attestation rather than a generic signature.

Conventional locality-sensitive hashing exists as a software construct in retrieval and clustering applications. Its silicon embodiment, particularly its embodiment as a co-processor with an integral signing block and a sensor interface, is the architectural step taken here.

Implementation Considerations

Sensor-conditioning circuit design is the first practical concern. The locality-sensitive hash engine assumes a normalized digital stream whose noise envelope is well-characterized; a stream whose noise envelope drifts with temperature, supply voltage, or ambient electromagnetic conditions will produce hashes whose Hamming distance varies for reasons unrelated to identity continuity. The conditioning block must therefore include compensation circuitry sufficient to hold the noise envelope inside the design margin across the deployment domain's environmental range. Automotive and industrial variants typically require more compensation than medical wearable variants, both because the environmental range is wider and because the sensor itself is more exposed.

On-die entropy quality is the second. The signing key is generated from on-die entropy at fabrication; an entropy source that produces correlated output across dies of the same wafer or that produces predictable output under specific fabrication conditions undermines the per-die uniqueness of the key. Production deployments use entropy sources whose statistical quality is verified at die test, with dies failing the verification rejected before the public key is recorded in the vendor registry. The IC's architecture is independent of the entropy source's specific construction; the practical requirement is that the source pass the verification.

Vendor-registry curation is the third. The public counterpart to each die's signing key is recorded in a vendor-attested registry whose integrity downstream verifiers depend on. A registry that admits keys from non-vendor sources, that loses keys, or that fails to revoke keys for dies known to have been physically tampered with reduces every downstream verification to the registry's reliability. Production deployments treat the registry as a critical-infrastructure system with corresponding controls; the IC's design is independent of the registry's specific implementation.

Test-port discipline is the fourth. Silicon test ports are necessary for fabrication-time validation but are an attack surface for post-fabrication key extraction. Production embodiments fuse test ports closed at die test, after the public key has been read out, so that the key can never be re-read after the die enters the supply chain. Embodiments that retain a test port for field diagnostics expose the port through a challenge-response mechanism rooted in the same signing key, so that diagnostic access does not require key exposure.

Disclosure Scope

The disclosed IC covers any silicon-class component that integrates, on a single die or in a single package, a biological-signal sensor interface, a locality-sensitive hash engine over the conditioned signal, and a signing block whose key is bound to the die at fabrication and stamps the hash with a hardware-rooted proof. The disclosure is independent of the specific biological modality, the specific locality-sensitive hash family, the specific signing primitive, and the specific process node.

Provisional Application No. 64/050,895 describes embodiments of the IC for cardiac and gait signals in automotive and medical product variants. The disclosure is not limited to those embodiments. The claims encompass any IC whose sensor, hash, and signing blocks together produce a stamped locality-sensitive hash bound to the die's hardware root, regardless of the modality of the biological signal, the family of the hash, the algorithm of the signing primitive, or the deployment domain of the surrounding device.