Mechanism
Identity in this disclosure is not a stored credential but a trust slope: the cumulatively validated sequence of dynamic hashes produced by successive identity mutations, where each successor must be a valid descendant of the previously trusted state under policy-bounded checks. Each step on the slope is advanced by an update rule that incorporates at least one unpredictability contribution and a volatile salt. The disclosure provides two exemplary mechanisms for supplying that unpredictability, and a hybrid that incorporates both in the same step. The dual-source derivation is that hybrid: an update step in which a hardware-anchor contribution and a local-state extractor contribution are both included, concatenated, within the same successor computation.
The two sources are not symmetric secrets combined at a verification gate. They are two ways of supplying fresh, non-exported unpredictability into the same hash-based update rule. The first source is a static hardware anchor combined with a volatile, non-repeating salt. The second source is a locally observed state collected into a local state vector and transformed by a strong extractor into a bounded pseudorandom token. Either source alone produces a valid successor identity; the hybrid concatenates both into the same update step so that the resulting dynamic hash is bound to both contributions at once.
The Hardware-Anchor Source
In the hardware-anchor embodiment, the unpredictability contribution is a keyed derivation from a static hardware anchor and a volatile per-epoch salt. The hardware anchor is a device-bound identifier such as a TPM, a TEE, or a SoC identifier. By itself the anchor is constant, so freshness is supplied by the volatile salt, which is non-repeating at the device-epoch level. The update rule for this embodiment is computed by hashing the prior dynamic hash with a key-derivation-function output over the hardware identifier and the volatile salt, together with a domain-separating tag, expressed in the disclosure as H(DAH_prev || KDF(HWID, salt) || tag).
Because the salt does not repeat, the same constant anchor yields a distinct successor at each epoch, and an observer of one dynamic hash gains no ability to compute the next. This embodiment accommodates constrained devices that expose a hardware identifier but cannot derive a rich local state. Continuity for hardware-anchor successors is validated through verification of per-epoch salt freshness and expected temporal cadence rather than through a stored key.
The Local-State Source
In the local-state embodiment, the unpredictability contribution is an extractor output over a stability-tuned local state vector, used without exposing the raw local state. The local state vector consists of device-observable signals sampled within an epoch, which the disclosure lists as including one or more of monotonic counters, high-resolution timing deltas, CPU performance counters, scheduler jitter statistics, I/O inter-arrival micro-jitter, sensor noise, rolling process histograms, and short-horizon sketches of recent dynamic hashes.
A feature map produces a value X from the local state vector: it normalizes and clips the signals, projects them to a fixed dimension via signed random projections with a public seed, optionally appends a discrete context code derived from a semantic context vector, and applies a locality-sensitive binarization. The disclosed purpose of that binarization is that small fluctuations produce stable X values while genuine role or zone changes flip a controlled subset of bits. A strong extractor then maps X to a pseudorandom token, and the update rule is computed as H(DAH_prev || Ext(X) || salt || tag). The extractor output may be disclosed in bounded proofs without leaking the underlying state.
Hybrid Derivation
The hybrid, or combined, embodiment includes both the locally derived token and the hardware-derived contribution in the same update step. The disclosure describes this as concatenating both contributions within the update rule, and the claims recite an update rule that includes a hardware-anchor derivation and a local-state extractor output wherein both are concatenated in the update rule. The result is a single successor identity bound to time, context, prior state, the hardware anchor, and the local state vector.
The stated rationale is robustness across heterogeneous device classes: the hybrid maintains compatibility with constrained devices while benefiting from richer state capabilities on more capable platforms. The hybrid is not a separate identity primitive; it is the same hash-based update rule with two unpredictability inputs concatenated rather than one. Each successor it produces remains an ordinary point on the trust slope, validated by the same successor-continuity logic as the single-source embodiments.
Validation in the Hybrid Embodiment
A verifier validates a presented successor by reconstructing the expected successor from the last trusted identity under the update rule and the recipient-defined policy-bounded continuity parameters, then checking the presented value against that expectation. The disclosure states that validation is uniform across embodiments: hardware-anchor successors are validated through salt freshness and cadence, local-state successors are validated through a stability-tuned acceptance neighborhood over extractor outputs, and in the hybrid embodiment both checks are applied.
The disclosed rule for the hybrid is that both sources must satisfy continuity, and anomaly in either source suffices to trigger rejection. There is no separate predicate that combines two independent secrets; there is a successor-continuity check applied to a single concatenated update in which a failure of either contribution is sufficient to reject the claim. Replay resistance is enforced separately, by binding acceptance to monotonic advancement along the slope and forbidding reuse of previously accepted successors within a policy horizon.
The Keyless Property
Across all three embodiments no persistent private key is stored. Each dynamic hash is ephemeral, non-reusable, and meaningful only as part of a monotonic sequence anchored in a previously trusted state. Observing a dynamic identity yields no ability to generate successors, because continuity checks require advancing from retained prior state under the update rule, using unpredictability that is not exported: the volatile salt is non-repeating and scoped to the step, the hardware anchor is device-bound and read through a key-derivation function rather than stored as a credential, and the local state vector is recomputed from device-observable signals rather than retrieved as a secret. The disclosure states that an attacker lacking the device's local state or volatile salt cannot feasibly synthesize valid successors.
Composition with Other Identity Mechanisms
The dual-source update rule supplies successors to the broader memory-native substrate, so it composes directly with the other disclosed mechanisms. Entropy-anchor rotation derives a new initial identity from the same permitted sources, hardware anchor plus volatile salt, local state vector plus extractor, or a hybrid of both, using the same update rule with a versioned domain separator, and records a forward link binding the prior epoch's terminal value to the new initial identity. Agent-to-substrate entanglement is neutral to which source the host uses for its dynamic device hash, deriving the host mutation token from that device hash regardless of embodiment.
Append-only mutation lineage, delayed validation, and sparse checkpoint recovery are each described as agnostic to the unpredictability source: the per-step proof materials carry an extractor token, a keyed hardware derivation, or both, and in the hybrid case both must validate. Biometric input appears in the disclosure only as an optional reseeding source for entropy-anchor rotation, processed through a privacy-preserving fuzzy extractor with liveness verification and never exported; it is not a derivation source for the per-epoch update rule.
Disclosure Scope
The dual-source update rule for advancing a memory-native trust slope, in which each successor dynamic hash is generated from at least one unpredictability contribution and a volatile salt, where the unpredictability contribution may be a keyed derivation from a static hardware anchor and a volatile per-epoch salt, an extractor output over a stability-tuned local state vector used without exposing raw local state, or, in the hybrid embodiment, both contributions concatenated within the same update rule, together with successor validation that reconstructs the expected successor under policy-bounded continuity parameters and, in the hybrid embodiment, requires both contributions to satisfy continuity with anomaly in either sufficient to trigger rejection, is disclosed in U.S. Application No. 19/388,580. This article describes that disclosed mechanism. The scope is defined by the claims and is not limited by any specific hardware-anchor technology, extractor construction, local-state signal set, salt source, or epoch cadence described herein.
