Agent-Substrate Slope Entanglement: Binding Every Mutation Step to Its Execution Host

Mechanism

Each agent maintains an identity slope, which is an ordered sequence of identity states linked by a one-way hash construction. Each host maintains a device hash slope, which is an ordered sequence of device states linked by the same construction. The slopes evolve in discrete steps. A mutation step on the agent is the event at which both slopes advance together.

At a mutation step, the host computes a host mutation token by hashing together the host's current device state, the agent's current identity state, the operation being performed, and a freshness value drawn from the substrate's commitment chain. The token is the joint commitment that entangles the two slopes. The agent's next identity state is defined as the hash of the agent's current identity state concatenated with the host mutation token. The host's next device state is defined as the hash of the host's current device state concatenated with the same host mutation token. The two definitions share the token; they cannot be evaluated independently without it.

The token is emitted into the substrate's commitment chain as a single record. Verifiers downstream do not need to observe the agent and the host separately; the presence of the token in the chain is sufficient to prove that both slopes advanced together at the recorded chain height. A token whose agent contribution is present but whose host contribution is absent, or vice versa, fails verification because the two next-state definitions would not agree on the token's value.

Cross-rotation is the failure mode in which an attacker who has obtained one slope attempts to advance it without advancing the other. Because each next state is a function of the joint token, advancing one slope without the other requires producing a token whose host-side definition is consistent with a device state that was never committed, or whose agent-side definition is consistent with an identity state that was never committed. Both inconsistencies are detectable by replaying the chain from the last verified joint state. The detection is local: any verifier with the chain can perform it, without consulting the original host or the original agent.

The construction does not rely on long-lived keys. The host's device hash slope is a hash chain, not a signing key; the agent's identity slope is a hash chain, not a signing key. The token is a hash, not a signature. The verifier checks hash equalities, not signature validities. This is the sense in which the identity is keyless: there is no private key whose theft would compromise prior or future states, because there is no private key.

Replay is prevented by the freshness value. Each token incorporates a fresh substrate-chain commitment that was not available before the mutation step began, so a token cannot be reused at a later step. Forward secrecy is provided by the one-way construction: a verifier who learns a later joint state cannot derive an earlier joint state, because the construction is preimage-resistant. Backward secrecy is provided by the freshness value: a verifier who learns an earlier joint state cannot predict a later joint state, because the freshness value at the later step has not yet been chosen.

Operating Parameters

The hash construction is parameterized by a substrate-wide hash function with declared preimage resistance, second-preimage resistance, and collision resistance bounds. The construction is agnostic to the choice of hash function so long as the bounds are met; substrates may select a post-quantum-secure construction, a construction tuned for low-power devices, or a construction tuned for high-throughput verification, without altering the entanglement protocol.

The freshness value is drawn from the substrate's commitment chain at a depth bounded above by a substrate-declared freshness window. A token whose freshness value lies deeper than the window is rejected, which prevents an attacker who has captured an old freshness value from constructing a token at a later wall-clock time. The freshness window is set by the substrate operator and is itself a committed parameter, so changes to the window are auditable.

The agent's identity slope and the host's device hash slope advance in lockstep at every mutation step. Neither slope advances during read-only operations. This bounds the rate of slope advancement to the rate of mutation, which in turn bounds the storage cost of slope retention and the verification cost of slope replay. Substrates may declare a maximum mutation rate per agent and per host; tokens that would exceed the declared rate are refused at the substrate, with a refusal record that names the rate violation.

The token format is fixed-size. The agent contribution, the host contribution, the operation identifier, and the freshness value each occupy declared field widths. This bounds the per-token storage cost and permits efficient batch verification of long token sequences using the substrate's standard chain-replay machinery.

Alternative Embodiments

The joint token may be embodied as a single hash output, as a Merkle leaf in a per-step commitment tree, or as a tuple of paired hashes that are individually committed and jointly verified. The entanglement property is preserved across these embodiments so long as the agent's next state and the host's next state are both computed from inputs that include the same joint commitment.

The hash construction may be embodied as a plain SHA-2 family function, as a SHA-3 family function, as a post-quantum hash construction such as one built on a lattice or code-based primitive, or as a domain-separated combination of multiple primitives. The substrate declares the construction in its committed configuration; agents and hosts that disagree on the construction cannot produce verifying tokens, which makes the configuration disagreement structurally visible rather than silent.

The freshness source may be embodied as the substrate's own commitment chain, as an external beacon committed into the substrate, or as a hybrid in which both contribute to the freshness value through a domain-separated combiner. The choice does not affect the entanglement property; it affects the threat model the substrate operates under, which is a separate axis of variation.

The slope storage may be embodied as a full retained slope, as a checkpointed slope with periodic compaction, or as a verifier-side reconstruction from the substrate chain alone. The verifier-side reconstruction is the most storage-efficient embodiment; it requires that the substrate chain retain the tokens, which is the substrate's existing audit obligation. Agents and hosts in this embodiment retain only their current state and the most recent token, which suits resource-constrained devices.

Multi-host migration is embodied through a paired token in which both the source host and the destination host contribute hashes, and the agent's next state is computed from the joint paired token. This extends the entanglement property across host transitions without breaking the slope; the agent's slope acquires a step that records both hosts, and either host can be excluded from a later replay only by producing a paired token whose other half it could not have known, which is detectable.

Composition With Other Identity Primitives

Slope entanglement composes with the keyless identity system's trust slope validator, its dynamic hash chain, and its provenance verifier. The trust slope validator consumes the joint token sequence and confirms that each step's token is well-formed under the declared construction and that the chain of tokens advances both slopes monotonically. The dynamic hash chain consumes the tokens as commitment leaves and produces the substrate-wide audit structure that downstream verifiers rely upon. The provenance verifier consumes the tokens and the operation identifiers to reconstruct the sequence of mutations that produced an agent's current state, including the host that performed each mutation.

The composition is closed under the keyless property. None of the composing primitives requires a long-lived signing key; all of them operate on hashes and on the substrate chain. An attacker who compromises a host at time t cannot forge tokens at times before t, because the freshness values at earlier times are committed to the chain and cannot be reused, and cannot forge tokens at times after t in the name of an agent that has migrated to a different host, because the destination host's contribution to the token cannot be produced without the destination host's current device state.

The composition is also closed under audit. Every token is a chain record. A regulator who replays the chain learns the complete history of the agent's mutations and the complete history of each host's contributions, without needing to query the agents or the hosts. This is the property the keyless identity system was designed to provide and the property slope entanglement is the structural mechanism for.

Distinction Over Prior Art

Conventional identity systems based on long-lived public-key certificates bind an agent to a key, not to a host. A certificate proves that the holder of a private key is the agent the certificate names; it does not prove that the agent's most recent mutation occurred on a specific host. Compromise of the private key produces forgeable mutations indistinguishable from genuine ones. Slope entanglement does not rely on a private key, and the absence of a key removes the corresponding compromise mode.

Hash-chain identity systems that advance an agent's slope independently of any host produce an auditable mutation history but cannot attribute mutations to execution locations. An attacker who obtains the agent's slope state can advance the slope from any host. Slope entanglement closes this gap by requiring the host's contribution to the joint token; an attacker without the host's current device state cannot advance the slope, regardless of what they know about the agent.

Trusted-execution-environment attestation systems bind an operation to a host through an attestation signature. The attestation proves the host executed the operation, but it does not bind the operation to the agent's prior identity state in a way that prevents cross-rotation. An attacker with attestation capability could attest to operations under fabricated agent states. Slope entanglement requires the agent's current state to be an input to the joint token, which prevents the attesting host from producing a verifying token for a fabricated agent state.

Threshold-signature and multi-party-computation identity systems distribute the signing capability across parties but retain the underlying long-lived secret material. They do not provide the keyless property and do not produce an entangled slope; they provide a different security property and operate under a different threat model.

Disclosure Scope

This disclosure is part of the keyless identity system described in US 19/388,580 and supported by Provisional 64/050,895. Slope entanglement is the structural mechanism by which the keyless identity system binds agent identity transitions to host execution. The disclosure covers the joint token construction, the next-state definitions for both slopes, the freshness window, the multi-host migration embodiment, and the composition with the trust slope validator, the dynamic hash chain, and the provenance verifier.

Implementations that advance the agent slope without a host contribution fall outside the disclosure, because they fail to produce the entanglement property. Implementations that advance the host slope without an agent contribution likewise fall outside the disclosure. Implementations that retain the joint construction but vary the hash primitive, the freshness source, or the slope storage embodiment fall within the disclosure, because the entanglement property and the keyless property are preserved across those variations.