Stateless Symmetric Encryption: Session Keys Derived From Current Identity State

Mechanism

The stateless symmetric encryption mechanism replaces the conventional notion of a stored session key with a derivation rule that is re-evaluated for each message. The derivation consumes three inputs: the recipient's current identity hash drawn from the dynamic hash chain that tracks biological-identity continuity, a transmission-specific salt that ensures distinctness between messages exchanged within the same identity-state window, and a domain-separation tag that binds the derived key to the encryption purpose rather than to authentication, signing, or any other downstream use. A hash-based key derivation function combines these inputs to produce the symmetric key under which the message body is sealed.

On the sender side, the protocol begins with a request for the recipient's current identity hash. This hash is not a long-lived public key; it is the head of a hash chain whose evolution is gated by trust-slope events in the recipient's lineage record. The sender obtains the hash, evaluates the derivation function, encrypts the payload, transmits the ciphertext together with the salt and a commitment to the recipient's identity-hash index, and discards the derived key. No copy of the key persists at the sender. No copy of the recipient's identity state persists at the sender beyond the duration required to perform the encryption operation itself.

On the recipient side, the protocol reverses the same construction. The recipient receives the ciphertext, the salt, and the index commitment. The recipient consults its own lineage to recover the identity hash at the indicated index, runs the same derivation, decrypts the payload, and discards the derived key. Because the recipient's lineage is locally available and cryptographically committed, this recovery is always possible for messages addressed to legitimately current or recent states. Messages addressed to states the recipient has never occupied cannot be decrypted, providing a structural failure mode that distinguishes legitimate traffic from misdirected or forged traffic without recourse to external validation.

The two-stage validation that the mechanism enables operates as follows. The first stage is the structural validation performed by the derivation itself: a recipient that cannot reproduce the key has not occupied the asserted identity state, and the failure is observed as a decryption error before any payload semantics are inspected. The second stage is the trust-slope evaluation performed against the lineage record once the payload has been decrypted: the recipient verifies that the identity-hash index referenced by the sender lies on a continuity-preserving slope rather than on a branch that was repudiated, abandoned, or terminated. Both stages are local. Neither requires consultation of a remote authority, a certificate revocation list, or a key-escrow service.

The dynamic hash chain that anchors the derivation evolves through trust-slope events, each of which records a continuity-preserving transition in the recipient's biological-identity state. The evolution rule is append-only and cryptographically committed, so a recipient's history of identity hashes is auditable but immutable. This property is what allows a sender to reference a hash by index rather than by content: the index uniquely identifies a position in a chain whose contents cannot be retroactively altered without detection. The mechanism therefore avoids the storage of any key material while preserving the addressability that key-based protocols rely on for routing and reply.

Compromise behavior follows directly from the construction. Recovery of a single derived key by an adversary, whether through cryptanalysis, side-channel observation, or endpoint compromise, exposes exactly one message. The derived key is not a member of a family from which other keys can be inferred; it depends on the recipient's identity hash at one specific index, and the chain's append-only construction prevents the adversary from extrapolating forward or backward without forging the chain itself. Forging the chain requires forging biological-identity continuity, which is the threat model the keyless identity system is designed to resist at the identity level rather than at the transport level.

Operating Parameters

The derivation function is parameterized by output length, salt length, and domain-separation tag. The output length is fixed by the symmetric cipher selected for payload encryption; for AES-256-GCM the derivation produces a 256-bit key and a 96-bit nonce drawn from disjoint regions of the derivation output. The salt length is bounded below by the collision-resistance requirement for the expected message volume within a single identity-state window and is typically set to 128 bits. The domain-separation tag is a fixed string that distinguishes encryption-purpose derivations from authentication, signing, and lineage-commitment derivations that share the same identity hash as input.

Identity-hash freshness is governed by the trust-slope evaluation cadence. A recipient that has not advanced its identity hash within the freshness window declared by the sender will be unable to decrypt, and the sender's freshness policy is therefore an operating parameter that trades latency tolerance against the granularity of compromise containment. Typical freshness windows range from seconds for high-assurance synchronous exchanges to hours for store-and-forward messaging. The window is enforced by the sender's choice of identity-hash index and is observable to the recipient through the index commitment.

Replay resistance is provided by the salt and the index commitment jointly. A replayed ciphertext addressed to the same index will derive the same key and decrypt successfully, but the recipient's lineage records the prior receipt and will reject the duplicate at the lineage layer. Replay resistance is therefore a structural property of the lineage rather than a property of the encryption layer per se, and the encryption layer is correspondingly free of nonce-management state.

The mechanism imposes no requirement on synchronized clocks. Identity-hash indices are monotonic within a chain but unordered across chains, and the protocol carries no timestamp that must be agreed between sender and recipient. This independence from time synchronization is significant for deployments across federated and partition-tolerant infrastructures where clock skew cannot be bounded.

Throughput is bounded by the cost of the derivation function rather than by the cost of key management. On commodity hardware the derivation completes in microseconds, and the absence of key-storage I/O removes the dominant latency source observed in conventional session-key architectures. The mechanism therefore tends to outperform stored-key alternatives at high message rates while providing strictly stronger compromise containment.

Alternative Embodiments

The provisional contemplates several derivation-function substitutions. HKDF over SHA-256 is the reference embodiment; substitutions to HKDF over SHA-3, BLAKE3, or argon2id are within scope. Argon2id is appropriate for embodiments where the derivation cost itself contributes to compromise resistance, for example by raising the cost of offline key-recovery attempts against intercepted ciphertexts. The choice of function does not alter the structural properties of the mechanism; it adjusts the cost and the resistance profile.

Embodiments differ in how the recipient's identity hash is conveyed to the sender. Pull embodiments have the sender request the hash directly from the recipient or from a lineage-aware directory. Push embodiments have recipients publish hash advancements to subscribed senders. Embedded embodiments carry the hash inside an enclosing protocol such as a session-establishment handshake. The mechanism is indifferent to the conveyance mode provided the hash carries a verifiable index commitment.

Symmetric ciphers other than AES-GCM are contemplated, including ChaCha20-Poly1305 for embodiments targeting platforms without AES hardware acceleration and AES-OCB for embodiments where the patent landscape favors that mode. The mechanism is independent of cipher choice provided the cipher accepts a key and nonce of fixed length and provides authenticated encryption.

The two-stage validation can be collapsed to a single stage in embodiments where the trust-slope evaluation is performed before decryption rather than after. This ordering is appropriate when payload-confidentiality concerns dominate, since it ensures that ciphertext is decrypted only after the lineage record has been independently validated. The cost is an additional round trip in some conveyance modes; the benefit is that decryption oracles cannot be probed against arbitrary index references.

Embodiments operating across heterogeneous trust domains may layer the derivation under a domain-binding step that mixes a domain identifier into the derivation input. This permits a single recipient identity to participate in multiple non-interfering encryption domains without cross-domain key reuse and without storing per-domain key material.

Composition

Stateless symmetric encryption composes with the keyless identity system's lineage and trust-slope mechanisms to produce a transport layer whose properties hold under partition, substrate migration, and adversarial conditions. The composition is structural: the encryption mechanism cannot be deployed in isolation because its inputs are properties of the identity layer, and the identity layer relies on the encryption mechanism to bind transport-level events to lineage-level commitments.

The mechanism composes with revocation by construction. Revocation in the keyless identity system is expressed as a trust-slope event that terminates a branch of the chain. Messages encrypted under indices on a terminated branch become undecryptable to recipients that have honored the revocation, and the encryption layer therefore enforces revocation without separate revocation infrastructure. There is no certificate revocation list, no online status protocol, and no propagation latency between the issuance of a revocation and its effect on transport.

Composition with audit is direct. Each encryption event is attestable through the index commitment carried in the ciphertext and through the lineage record at the recipient. An auditor with access to the lineage and to the ciphertexts can reconstruct the set of messages exchanged under each identity state without recovering payload contents, and can detect any divergence between the asserted index and the lineage's record of that index. Audit is therefore a property of the system rather than an external overlay.

The mechanism composes with the dynamic indexing protocol of the memory-native protocol stack to permit semantic routing of encrypted flows. The index commitment carried with each ciphertext is a structural input to the indexing protocol's restructuring decisions, and the encryption mechanism's freshness window provides a natural lifetime bound for indexed flows. This composition is what permits the system to operate as a transport rather than as a point-to-point messaging primitive.

Prior-Art Boundary

The construction is bounded against three families of prior art. The first is conventional session-key architectures, including TLS, Noise, and Signal's double ratchet. These architectures derive session keys from long-lived secrets and from session-specific nonces; they store the long-lived secrets and rely on their persistence. The mechanism described here stores no long-lived secret. The recipient's identity hash is not a secret in the cryptographic sense; it is a public commitment to a position in an append-only chain.

The second family is identity-based encryption in the Boneh-Franklin lineage. Identity-based encryption derives a public key from a string identifier and relies on a private-key generator to issue corresponding private keys to recipients. The mechanism here has no private-key generator, no master secret, and no escrow surface. The derivation runs symmetrically at both endpoints and depends on a recipient-local lineage rather than on a centrally issued private key.

The third family is biometric-keyed encryption, in which a key is derived from a biometric measurement at the time of use. The mechanism described here is not biometric-keyed in this sense. The biological-identity continuity that anchors the chain is itself anchored in lineage records and trust-slope events, not in raw biometric measurements; the chain head is a hash, not a fuzzy extractor output. The construction therefore avoids the noise-tolerance and template-storage problems that biometric-keyed schemes contend with.

Disclosure Scope

The disclosure under Provisional 64/050,895 covers the derivation construction as described, the conveyance modes for the recipient's identity hash, the two-stage validation arrangement and its single-stage variant, the substitution family for the derivation function, the substitution family for the symmetric cipher, the composition with lineage-based revocation, the composition with the dynamic indexing protocol, and the operating-parameter envelope including freshness-window selection and salt-length bounds. Embodiments that depart from the recited derivation inputs, that introduce persistent key material, or that substitute external authorities for lineage-based validation fall outside the scope of the disclosure as filed and would require separate consideration.