Dual-Source Identity Derivation: Hardware Anchors and Local State Vectors Combined Per Epoch

Mechanism

The dual-source derivation proceeds in three stages per epoch: source acquisition, source extraction, and coherence verification. In source acquisition, the device gathers a contribution from each of two independent sources. The first source is a static hardware anchor combined with a volatile per-epoch salt; the hardware anchor is a value bound to the physical device and not extractable through software interfaces, and the salt is a value drawn from a process whose outputs are not predictable across epochs. The second source is a local state vector summarizing the device's recent operational history, processed through a strong extractor that produces a uniformly distributed output even when the input distribution is non-uniform.

Source extraction transforms each acquired source into a fixed-length contribution suitable for combination. The hardware-plus-salt source is extracted by a keyed hash whose key is the salt and whose input is the hardware anchor; the keyed hash is selected so that the salt is computationally bound to the output and cannot be recovered from the output alone. The state-vector source is extracted by a strong extractor whose seed is itself derived from a public, per-epoch parameter so that the extractor's output is reproducible by a verifier holding the same state vector and the same public seed.

Coherence verification combines the two extracted contributions through a deterministic combination function and tests the result against a coherence predicate. The combination function is collision-resistant, so an attacker who controls only one source cannot produce a combined value matching one produced by an honest combination of both sources. The coherence predicate evaluates whether the combined value is consistent with prior epochs in the device's identity chain; consistency is defined by a hash-chain construction in which each epoch's identity references the prior epoch's identity by hash, and the chain is anchored to a genesis value committed at device provisioning.

Both sources are required: the platform refuses to admit a per-epoch identity for which only one extracted contribution is present, even if the present contribution would be valid in isolation. The refusal is structural rather than policy-based; the combination function takes two inputs, and the coherence predicate evaluates only fully combined values. A device whose hardware anchor is intact but whose state vector has been corrupted, or whose state vector is intact but whose hardware anchor has been tampered with, cannot produce a coherent dual-source identity for the epoch in question. The device's identity chain therefore halts at the last coherent epoch, and any subsequent attempt to advance the chain is detectable by external verifiers as a coherence failure.

Cross-source coherence is the anti-fraud property: an attacker who has compromised one source must also produce a contribution from the other source that, when combined, satisfies the coherence predicate. Because the two sources are information-theoretically independent and because the predicate is bound to the device's prior identity chain, the attacker cannot simply choose a contribution that satisfies the predicate; the attacker must possess a genuine contribution from the second source. This requirement collapses the attack surface from "compromise either source" to "compromise both sources within the same epoch," a substantial increase in the attacker's cost.

The mechanism is keyless in the sense that no long-lived secret key is stored on the device. The hardware anchor is a physical property of the device, not a stored key; the volatile salt is consumed within the epoch and discarded; the state vector is a function of operational history and is recomputed continually rather than retrieved from storage; the extractor seed is public. An attacker who exfiltrates the device's storage in its entirety obtains no value that can be used to forge a future epoch identity, because the values that contribute to a future epoch do not yet exist at the time of exfiltration.

Operating Parameters

Epoch length is the principal tunable parameter. A short epoch limits the window during which a compromised contribution remains useful but increases the rate at which the device must perform derivation; a long epoch reduces derivation overhead but extends the exposure of any single epoch to compromise. Implementations select the epoch length based on the threat model of the surrounding application and the energy budget of the device.

The choice of hardware anchor is parameterized along the spectrum from physical unclonable functions through fused device identifiers to secure-element-resident root keys. Each choice trades extraction resistance, replication cost, and provisioning complexity. The dual-source mechanism does not depend on a particular anchor technology; it requires only that the anchor be bound to the device and not extractable through software.

The strong extractor used for the state-vector source is parameterized by its output length, its seed length, and its extraction quality, expressed as the statistical distance between its output distribution and the uniform distribution. Reference embodiments use a Toeplitz-matrix extractor and a hash-based extractor; either is acceptable provided that its extraction quality is sufficient for the entropy of the state-vector source as measured at the device.

The coherence predicate is parameterized by its tolerance for benign drift in the state vector. A strict predicate accepts only state vectors whose extracted contribution combines to a value matching an exact prior-epoch reference; a tolerant predicate accepts state vectors whose extracted contribution combines to a value within a bounded distance of the reference. Tolerance trades robustness against benign perturbation for resistance against adversarial perturbation; implementations select the tolerance based on the variability of the state-vector source on the target device.

The volatile salt's source is parameterized by its entropy rate and its freshness guarantee. A device with a hardware noise source of high entropy may draw the salt directly from the noise source; a device with a lower-entropy source may post-process noise samples through a cryptographic conditioner before use. The mechanism requires only that the salt be unpredictable across epochs and that the same salt not be reused.

Alternative Embodiments

The dual-source mechanism admits embodiments that vary the second source. In a hardware-plus-state embodiment the second source is the local state vector as described above. In a hardware-plus-attestation embodiment the second source is an attestation produced by a co-located component, such as a separate secure element or a remote attestation service whose output is bound to the epoch by the same public seed used for the extractor. In a hardware-plus-biometric embodiment the second source is a biometric reading processed through a fuzzy extractor whose output is deterministic over the user's biometric distribution. Each embodiment preserves the structural property of two information-theoretically independent sources combined per epoch.

The combination function may be embodied as a concatenation followed by a cryptographic hash, as a keyed hash with one source as key and the other as message, as a polynomial commitment evaluating both sources at a public point, or as an exclusive-or combination preceded by extractor outputs of equal length. The structural guarantees do not depend on the choice of combination function provided the function is collision-resistant and binds both inputs to the output.

The coherence predicate may be embodied as a strict equality against a prior-epoch reference, as a hash-chain extension test verifying that the new identity references the prior identity by hash, as a Merkle-tree inclusion test verifying that the new identity belongs to a published epoch tree, or as a signature-style verification using a public parameter that is itself derived from prior epochs. Implementers select the embodiment based on the verification context: an isolated device may use a strict equality test, while a federated deployment may use a Merkle inclusion test that allows third-party verification without revealing the full identity chain.

Embodiments differ in how they handle a coherence failure. A strict embodiment halts the identity chain at the last coherent epoch and requires re-provisioning to re-establish a chain; a recoverable embodiment permits the device to enter a degraded mode in which it continues to operate but with reduced privileges until a coherent epoch can be re-established; a forensic embodiment records the failure as a structured incident report bound to the failed epoch's hash, so that an investigator can reconstruct the conditions under which coherence was lost.

Composition with Other Identity Primitives

Dual-source derivation composes with the dynamic hash-chain primitive of US 19/388,580 because the per-epoch identity produced by the derivation is itself the link by which the chain is extended. The chain's structural property, that each link references the prior link by hash, is preserved because the coherence predicate verifies precisely this reference. A dual-source derivation that produced a coherent value detached from the prior chain would fail the predicate; a chain extension that bypassed the dual-source derivation could not produce a coherent per-epoch identity in the first place.

Dual-source derivation composes with trust-slope validation because the slope is computed over the sequence of per-epoch identities, and a sequence containing an incoherent identity cannot satisfy the slope constraint. An attacker attempting to inject a forged epoch into the sequence must produce both a coherent dual-source contribution and a slope-consistent placement, raising the attack cost beyond the cost of either component in isolation.

Dual-source derivation composes with the post-quantum identity layer because the combination function and the extractor are selected from primitives believed to be secure against quantum-equipped adversaries. The hardware anchor's resistance to extraction is a physical property and is not affected by the cryptographic capabilities of the attacker. The dual-source mechanism therefore inherits post-quantum security from its component primitives without adding new quantum-vulnerable assumptions.

Dual-source derivation composes with the audit subsystem because each epoch's combined value is committed to a durable record, and an external auditor presented with the durable record and the device's public parameters can verify the coherence of any past epoch without holding the device's private state. The auditor cannot reproduce the per-epoch identity, because doing so would require the volatile salt and the state vector at the time of derivation, but the auditor can verify that the committed identity is consistent with the prior chain and with the public parameters.

Prior Art and Distinction

Conventional identity systems rely on long-lived cryptographic keys stored either in software or in a secure element. Dual-source derivation differs in that no long-lived key is stored; the per-epoch identity is freshly derived from sources whose values do not persist between epochs. The attacker who exfiltrates a stored key obtains a long-lived credential; the attacker who exfiltrates a device's storage under dual-source derivation obtains nothing of forward value.

Multi-factor authentication systems combine multiple factors at authentication time, typically by requiring the user to present a password and a one-time code. Dual-source derivation differs in that the two sources are combined at identity-derivation time rather than at authentication time, and the combination is bound to a per-epoch identity rather than to a session token. A compromised factor in a conventional MFA system grants attacker access for the lifetime of the second factor; a compromised source under dual-source derivation grants the attacker no per-epoch identity unless the second source is also compromised within the same epoch.

Physical-unclonable-function identity schemes derive identity from a hardware property alone. Dual-source derivation borrows the hardware-anchor concept but differs in that the hardware contribution is combined with a second source whose entropy is fresh per epoch. A PUF-only scheme that suffers anchor extraction is permanently compromised; a dual-source scheme that suffers anchor extraction remains uncompromised provided the second source is not also extractable.

Threshold cryptography schemes split a secret across multiple parties and require a quorum to reconstruct. Dual-source derivation differs in that the two sources are co-located on a single device but are independent in the information-theoretic sense relevant to forgery; the mechanism does not require a quorum protocol or inter-party communication. The structural property of two-of-two combination is achieved through extractor and combination function design rather than through secret sharing.

Disclosure Scope

This disclosure describes and claims a method and apparatus for deriving a per-epoch identity from two information-theoretically independent sources, wherein both sources are required for derivation, wherein the combination of the two sources is verified against a coherence predicate bound to the device's prior identity chain, and wherein the cross-source coherence functions as an anti-fraud mechanism by requiring an attacker to compromise both sources within the same epoch. The disclosure further claims embodiments in which the second source is a local state vector, a co-located attestation, or a biometric reading; in which the combination function is a hash, a keyed hash, a polynomial commitment, or an extractor-mediated exclusive-or; and in which the coherence predicate is a strict equality, a hash-chain extension, a Merkle inclusion test, or a public-parameter verification. The scope of the disclosure is defined by the claims of US 19/388,580, with priority to Provisional Application 64/050,895, and is not limited by any specific anchor technology, extractor construction, epoch length, or coherence predicate described herein.