No-Consensus Pair Settlement

Mechanism

A matched pair comprises two credentialed parties, denoted Party A and Party B, each in possession of authority credentials issued under the governance chain. A bilateral exchange is initiated when one party emits an offer tuple bearing its credential signature; the counterparty evaluates admissibility against the offer's structural attributes and against its own admissibility policy. If admissibility holds, the counterparty co-signs the tuple, forming a joint observation. The joint observation, bearing both signatures, constitutes the settlement event. Finality is intrinsic to the joint signature: no further validation, propagation, or consensus operation is required to render the settlement effective between the pair.

The settlement event is appended to each party's lineage record. Lineage records are independently maintained, but each entry references the counterparty's credential, the observation tuple's structural hash, and the admissibility evaluation outcome. Downstream verification — by an auditor, regulator, or counterparty in a future exchange — proceeds by reconstructing the admissibility evaluation from the lineage entry and verifying the joint signature against the credentialing authority. No appeal to a global ledger, consensus checkpoint, or clearing record is required; the lineage entry is self-contained verification material.

Admissibility evaluation is the structural gate. Each party's admissibility function may be deterministic, learned, or hybrid; the function consumes the offer tuple, the counterparty's credential, and ambient context, and emits an admit/reject decision with rationale. Rationale is retained in lineage. The pair settlement is therefore not merely a signed agreement but a signed admissible agreement, with the admissibility rationale itself part of the evidentiary record.

Security Model

The security of pair settlement rests on three foundations: the unforgeability of the credential signatures, the integrity of the lineage record, and the soundness of the admissibility evaluation. Signature unforgeability is inherited from the chosen signature scheme under standard cryptographic assumptions. Lineage integrity is enforced through tamper-evident structures appropriate to the lineage realization — append-only logs with hash chaining, merkle accumulators, or external anchoring. Admissibility soundness is enforced through the credentialed declaration of the admissibility function and through the retention of admissibility rationale in lineage, allowing post-hoc verification that admissibility was correctly evaluated.

The threat model encompasses counterparty repudiation, lineage tampering, credential theft, and admissibility manipulation. Repudiation is countered by the joint signature, which constitutes non-repudiable evidence under the credentialing authority. Tampering is countered by the lineage's tamper-evidence properties; tampering is detectable, and the tamper-evident record is itself an audit artifact. Credential theft is countered by credential lifecycle controls including expiry, revocation, and binding to hardware security modules where embodiments require it. Admissibility manipulation — wherein a party signs an offer it should have rejected — is countered by retention of admissibility rationale, which permits post-hoc challenge.

Settlement liveness is bilateral. If either party becomes unresponsive, settlement does not occur; the offering party's lineage records the timeout and the operation may be retried with a different counterparty or under fallback policy. Liveness is therefore a property of the pair, not of a global network, and is recoverable through pair-level retry rather than network-level coordination.

Operating Parameters

Settlement latency is bounded by the round-trip signature exchange between the two parties plus the admissibility evaluation time at each side. In practice this falls in the range of single-digit milliseconds for cryptographic primitives and sub-millisecond to tens of milliseconds for admissibility evaluation depending on policy complexity. Throughput per pair is bounded only by the parties' computational capacity to evaluate admissibility and emit signatures; throughput across a population of pairs scales linearly with the number of active pairs, since pairs do not contend for shared consensus resources.

Settlement size is bounded by the observation tuple's structural specification, which is application-dependent. Tolling exchanges, freight handoff records, and energy-charging events each define their own tuple schema. Lineage growth per party scales linearly with settlement count; lineage compaction policies are governed by retention requirements declared at the credentialing layer. Verification complexity at audit time is constant per settlement, since each lineage entry carries its own verification material.

Failure modes are explicit. If admissibility fails on either side, no signature is exchanged and no settlement occurs; the rejection is recorded in the offering party's lineage with rationale. If a party signs but the counterparty fails to deliver its signature within a declared window, the offer expires and the offering party's lineage records the timeout. Partial settlements — single-party signatures without counterparty co-signature — do not constitute settlement events under the protocol.

Alternative Embodiments

Signature schemes are not constrained by the protocol. Embodiments may employ ECDSA, EdDSA, Schnorr aggregated signatures, BLS pairings with rogue-key resistance, or post-quantum signature schemes such as ML-DSA or SLH-DSA. The protocol requires only that the signature scheme support verifiable joint signing over a defined observation tuple.

Credential issuance may be performed by a single governance authority, a federation of authorities under cross-recognition, or a self-sovereign identity framework with verifiable credential chains. The admissibility function evaluates against whichever credential structure the embodiment carries.

Lineage storage may be local-only, replicated to a counterparty-elected witness, distributed across a content-addressable storage layer, or anchored periodically to an external ledger for tamper-evidence. Anchoring is optional and orthogonal: the settlement's finality does not depend on anchoring, but anchoring may be elected to strengthen non-repudiation in adversarial counterparty contexts.

Consensus services may participate as credentialed observers when present. An observer receives the joint observation under the same credential framework as the pair and may emit a witness attestation. The witness attestation is supplementary; it does not gate settlement and is not required for finality.

Composition

Pair settlement composes with the broader mesh through the lineage primitive. A party that has settled with multiple counterparties accumulates a lineage record that, when surfaced selectively, demonstrates a pattern of admissible exchange. Reputation, throughput entitlement, and downstream credentialing decisions consume this lineage. The lineage is bilateral in origin but aggregable in use.

Pair settlement composes with N-party coordination patterns by serving as the atomic unit beneath higher-order patterns. A ratified handoff among three parties decomposes into pair settlements between each adjacent pair, with the handoff's coherence checked against the union of pair lineages. Joint-witness patterns invoke pair settlement between the witnessed parties and the witness. Federated patterns invoke pair settlements across the federation under declared admissibility models.

Pair settlement composes with governance-chain operations through credential validity. If a credential is revoked subsequent to settlement, prior settlements remain valid as historical events but new settlements under the revoked credential cannot occur. The lineage carries the credential's validity at settlement time, not at audit time, preserving temporal integrity.

Distinction From Prior Art

The protocol is distinct from blockchain consensus protocols. Blockchain finality requires that a transaction be propagated to and validated by a network of consensus participants; finality emerges probabilistically as the transaction is buried under additional consensus rounds. The pair protocol's finality is intrinsic to the joint signature and does not require propagation beyond the pair. It is distinct from central counterparty (CCP) clearing, in which a clearinghouse interposes itself as legal counterparty to both sides and assumes settlement risk. The pair protocol carries no third-party interposition; settlement risk is bilateral. It is distinct from over-the-counter (OTC) bilateral settlement under prevailing market conventions, in which settlement is signed but admissibility is performed informally or against external compliance systems. The pair protocol incorporates admissibility as a structural primitive within the protocol itself, with admissibility rationale retained in lineage. It is distinct from payment channels and state channels, which permit off-chain bilateral activity but ultimately settle to a chain at channel close. The pair protocol does not require chain closure; lineage is the settlement record.

Application Scenarios

Mass tolling is a paradigmatic application. A vehicle and a tolling gantry constitute a matched pair, each credentialed under a transportation-authority governance chain. Passage events generate observation tuples encoding vehicle credential, gantry credential, time, and toll structure; the joint signature is the settlement; lineage retention furnishes the audit record. Throughput per gantry scales with pair-evaluation capacity, not with consensus-network throughput, enabling free-flow tolling at highway speeds without batching delays.

Real-time energy charging is a second application. A charging station and an electric vehicle constitute a pair under an energy-grid governance chain. Charge sessions generate continuous or periodic observation tuples encoding energy delivered, time, tariff, and grid-state attestations; pair settlement avoids the latency penalty of network consensus and admits operation across grid-edge deployments where consensus-network connectivity is intermittent.

Freight handoff is a third application. Adjacent custodians in a supply chain constitute pairs at handoff points; observation tuples encode cargo identifiers, custody attributes, and condition attestations. The pair-settlement record at each handoff composes into a custody chain; no global consensus over the supply network is required for individual handoff finality.

Adversarial-degraded operation is a fourth application. When external consensus services are unavailable due to network partition, denial-of-service, or jurisdictional restriction, pair settlement continues unaffected. Lineage accumulated during the degraded period furnishes evidence for later reconciliation when external services are restored. The architecture therefore supports continuity under degradation that would halt consensus-bound architectures.

Disclosure Scope

The disclosure encompasses the pair settlement protocol, the admissibility-bound joint signature, the lineage retention scheme, and the composition rules with N-party patterns and governance-chain operations. The protocol is disclosed independent of any specific signature scheme, credential framework, lineage storage technology, or admissibility-function realization. Embodiments employing high-frequency operations, including mass tolling, real-time energy charging, freight handoff, and adversarial-consensus-degraded operation, are encompassed within the disclosure. Variations in tuple schema, signature aggregation, lineage anchoring strategy, and credential-issuance hierarchy are likewise encompassed.

The disclosure further encompasses methods of operation comprising: (a) emitting an admissibility-evaluated offer tuple from a first credentialed party; (b) evaluating the offer against a second credentialed party's admissibility policy; (c) co-signing the offer to form a joint observation; (d) appending the joint observation to each party's lineage with admissibility rationale; and (e) verifying the settlement at audit time through reconstruction of admissibility evaluation against retained lineage. Variations on these method steps, including parallelized admissibility evaluation, batched signature aggregation across temporally proximate pair events, and selective lineage disclosure under credentialed minimization, are within scope.