CVK Session Activation | Cyber Immunity Whitepaper

Overview

The CVK Session Activation ceremony grants a CMK-authenticated user session-level control over their Consumer Vendor Key (CVK) - a per-user, per-vendor key that acts as the user's personal cryptographic authority within that vendor's context. The CVK enables user-sovereign operations: identity wallet signing, cryptocurrency wallet transactions, SSH certificate issuance, or any use case requiring individual (rather than organizational) authority.

The ceremony is substantially simpler than CMK authentication (Protocol: CMK Authentication):

No PRISM. The user has already proven password knowledge via the CMK ceremony. CVK ORKs accept the CMK blind signature as the authentication gate.
No blinding. CVK ORKs already know the user's VUID and gCVK - there is no cross-vendor unlinkability requirement at this layer. CVK signing uses standard threshold Ed25519, not the double-blind BEd255475 construction.
No identity recovery. The VUID was derived during CMK authentication and is provided directly.

The ceremony completes in two round-trips between the Secure Web Enclave (SWE) and the CVK ORK swarm. The CMK blind signature serves as a non-interactive proof of authentication - CVK ORKs verify it independently before signing.

Loading diagram...

Preconditions

CMK Authentication Must Complete

The CVK session protocol is a secondary ceremony that builds on top of the primary CMK authentication ceremony but is performed in parallel with it.

To start the CVK session protocol, the SWE must hold the output of a successful CMK round-trip 1 Authentication Ceremony (Protocol: CMK Authentication):

$\mathit{gCMKAuth}$ - the user's vendor-specific authentication public key
$m_{\text{auth}}$ - the authentication token message (containing $\mathit{VUID}$ , expiry, vendor session public key $K$ , session identifier)
$(k, K)$ - the non-extractable vendor session key pair

By the time the CVK round-trip 1 protocol completes, the SWE will also hold the output of CMK round-trip 2 Authentication, which is a pre-requisite for the CVK signing step (round-trip 2):

$(R, S)$ - the CMK blind signature on the specialized twisted Edwards curve BEd255475

The double-blind signature serves as a non-interactive proof: any party holding

\mathit{gCMKAuth}

can verify it via the standard Schnorr equation on the specialized BEd255475 curve.

Per-CVK-ORK Stored State

Each CVK ORK

i

stores (established during the user's CVK registration):

$\mathit{VUID}$ - the user's vendor-specific identifier (index key)
$\mathit{gCMKAuth}$ - the user's vendor authentication public key (used to verify CMK proof)
$\mathit{CVK}_i$ - Shamir share of the user's CVK private key
$\mathit{gCVK} = G \cdot \mathit{CVK}$ - the CVK public key (public value, same across all ORKs)
$\mathit{vSecORK}_i$ , $\mathit{vgORK}_i$ - the ORK's own long-term key pair

Vendor State

The vendor holds

\mathit{VUID}

\mathit{gCVK}

\mathit{gVVK}

, and the ephemeral

\mathit{gVRK}

+ its VVK-signed delegation proof.

Protocol Flow

Step 0 - CVK Swarm Discovery

The SWE queries the home ORK for the CVK swarm roster associated with this

\mathit{VUID}

\text{SWE} \rightarrow \text{Home ORK}: \textsf{GetKeyORKs}(\mathit{VUID})

Returns:

\mathit{gCVK}

, CVK ORK URLs, identifiers

\mathit{vId}_i

, and public keys

\mathit{vgORK}_i

If no CVK record exists for this VUID, the SWE initiates a CVK registration flow (separate protocol, not specified here).

Round-Trip 1: PreSign

Loading diagram...

Algorithm 1: CVK Nonce Generation (per-ORK )

Input:

\mathit{VUID}

K

(vendor session public key),

\mathit{modelName}

\mathit{gVRK}

\mathit{gVRKSig}

\mathit{gVVK}

, voucher
Output: encrypted nonce points

\mathit{enc}(\{\mathit{gCVKR}_i[j]\}_{j=1}^{m})

$\textsf{ValidateVoucher}(\text{voucher}, \text{``cvk-sign''})$
$\textsf{RetrieveCVKRecord}(\mathit{VUID})$ - abort if not found
assert $\mathit{gVVK}.\textsf{verifySig}(\mathit{gVRKSig})$
$m \leftarrow \textsf{NumberOfSigsForModel}(\mathit{modelName})$
for $j = 1$ to $m$ do
- $\mathit{cvkR}_i[j] \overset{\$}{\gets}$ ℤ $_\ell$
- $\mathit{gCVKR}_i[j] \leftarrow G \cdot \mathit{cvkR}_i[j]$
$\mathit{ECDH}_i \leftarrow \textsf{DH}(\mathit{vSecORK}_i, K)$
$\mathit{enc} \leftarrow \textsf{AES\_ENC}_{\mathit{ECDH}_i}(\{\mathit{gCVKR}_i[j]\}_{j=1}^{m})$
Create cache entry indexed by $(\mathit{VUID}, K)$ : store $K$ , $\mathit{modelName}$ , $\{\mathit{cvkR}_i[j]\}$ , $\mathit{ECDH}_i$
return $\mathit{enc}$

The ECDH channel between the SWE and each CVK ORK uses the vendor session key

K

- the same non-extractable key generated during the CMK ceremony. This binds the CVK session to the same browser context.

Convergence wait: The SWE waits up to 1 second for all

n

responses or 5 seconds for the first

t

(14), records participants in

\mathit{ORKsBitwise}

with count

I

SWE Processing: Nonce Aggregation and Message Construction

The SWE decrypts each ORK's response using the ECDH shared secret:

\mathit{ECDH}_i \leftarrow \textsf{DH}(\mathit{vgORK}_i, k)

\{\mathit{gCVKR}_i[j]\} \leftarrow \textsf{AES\_DEC}_{\mathit{ECDH}_i}(\mathit{ECDH}_i, \mathit{enc}_i)

It aggregates nonces per signature slot:

\mathit{gCVKR}[j] \leftarrow \sum_{i \in S} \mathit{gCVKR}_i[j] \quad \forall\, j \in [1..m]

It then constructs the message(s) to be signed, depending on the model. The primary slot (

j = 1

) is always a CVK session JWT:

\mathit{jwt} \leftarrow \textsf{createJWT}(\mathit{id}: \mathit{VUID},\; \mathit{spk}: K,\; \mathit{exp}: \text{timestamp} + 30\text{min},\; \mathit{iss}: \text{``Tide.org''},\; \mathit{aud}: \mathit{gVVK})

Additional slots carry model-specific payloads (e.g., an SSH certificate signing request, a blockchain transaction). The model determines how many slots and what validation rules each CVK ORK applies.

Round-Trip 2: Sign

Loading diagram...

Algorithm 2: CVK Signature Verification Gate and Partial Sign (per-ORK )

Input:

\mathit{VUID}

, CMK proof

(R, S, \mathit{gCMKAuth}, m_{\text{auth}})

\{\mathit{gCVKR}[j]\}_{j=1}^{m}

\mathit{ORKsBitwise}

\mathit{modelData}

Output:

\{\mathit{CVKs}_i[j]\}_{j=1}^{m}

(partial signatures)

Authentication gate:

Retrieve and destroy cache entry $(\mathit{VUID}, K)$
$\textsf{RetrieveCVKRecord}(\mathit{VUID})$ - loads $\mathit{gCMKAuth}$ , $\mathit{CVK}_i$ , $\mathit{gCVK}$
assert $m_{\text{auth}}.\mathit{VUID} = \mathit{VUID}$ (VUID in token matches stored)
assert $\mathit{gCMKAuth} = \text{stored } \mathit{gCMKAuth}$ (authentication key matches)
$e \leftarrow H(R, \mathit{gCMKAuth}, m_{\text{auth}})$ (on specialized BEd255475 curve)
assert $G \cdot S = R + e \cdot \mathit{gCMKAuth}$ (standard Schnorr verify on BEd255475 curve)
assert $m_{\text{auth}}.\mathit{expiry} > \textsf{timestamp}()$ (token not expired)

Model validation:

$m \leftarrow \textsf{NumberOfSigsForModel}(\mathit{modelName})$
$\textsf{ValidateModelRules}(\mathit{modelData})$ (model-specific policy checks)
Construct $\mathit{msg}[1] \leftarrow \mathit{jwt}$ ; $\mathit{msg}[2..m] \leftarrow$ model-specific payloads

Threshold signing (standard Ed25519, per slot):

$L_i \leftarrow \textsf{Lagrange}(\mathit{vId}_i, \text{participating\_ids from } \mathit{ORKsBitwise})$
for $j = 1$ to $m$ do
- $h[j] \leftarrow H(\mathit{gCVKR}[j] \| \mathit{gCVK} \| \mathit{msg}[j])$
- $\mathit{CVKs}_i[j] \leftarrow \mathit{cvkR}_i[j] + h[j] \cdot \mathit{CVK}_i \cdot L_i$
$\mathit{enc} \leftarrow \textsf{AES\_ENC}_{\mathit{ECDH}_i}(\{\mathit{CVKs}_i[j]\})$
return $\mathit{enc}$

The critical point: the CVK ORK independently verifies the CMK blind signature before producing any CVK partial signature. This is a non-interactive verification - the CVK ORK needs only

\mathit{gCMKAuth}

(which it stores from registration) and the signature

(R, S, m_{\text{auth}})

from the SWE. No communication with CMK ORKs is required.

SWE Processing: Signature Aggregation and Verification

Algebraic correctness:

\sum \mathit{CVKs}_i[j] = \sum (\mathit{cvkR}_i[j] + h[j] \cdot \mathit{CVK}_i \cdot L_i)

= \underbrace{\sum \mathit{cvkR}_i[j]}_{= \mathit{cvkR}[j]} + h[j] \cdot \underbrace{\sum \mathit{CVK}_i \cdot L_i}_{= \mathit{CVK}}

By Shamir reconstruction, the partial nonces sum to the joint nonce and the partial key contributions sum to the joint key - producing a standard Ed25519 signature verifiable against

\mathit{gCVK}

Delivery to Vendor

The SWE encrypts the results under the vendor's ephemeral public key:

\mathit{VendorEncryptedData} \leftarrow \textsf{ENC}_{\mathit{gVRK}}(\mathit{VUID}, \mathit{gCVK}, \{(\mathit{gCVKR}[j], \mathit{CVKS}[j])\}_{j=1}^{m})

The vendor decrypts, aggregates the per-slot signatures if needed, and establishes a session granting the user CVK-level authority. The primary JWT signature (

j = 1

) authorizes the session; additional slots provide model-specific signed artifacts (SSH certificates, signed transactions, etc.).

The Model System

The CVK ceremony supports model-based multi-signature: a single authentication can produce multiple purpose-specific signatures in parallel, each covering a different payload and subject to different validation rules.

Model	Slots	Primary Signature	Additional Signatures	Validation Rules
Default	1	CVK session JWT	-	Standard claims validation
OpenSSH	2	CVK session JWT	SSH user auth request (SSH wire format)	Parse SSH request, validate against SSH policy rules
Custom	$m$	CVK session JWT	Application-defined payloads	Application-defined rules enforced by CVK ORKs

Each CVK ORK independently validates model rules before signing. The model name is committed during PreSign (cached server-side); it cannot be changed between rounds.

The number of nonces generated in Round-Trip 1 matches the number of signatures the model requires. Each slot

j

has its own independent nonce

\mathit{cvkR}_i[j]

, aggregate

\mathit{gCVKR}[j]

, message

\mathit{msg}[j]

, and partial signature

\mathit{CVKs}_i[j]

Failure Recovery

ORK drops between PreSign and Sign. If a CVK ORK that committed nonces in PreSign fails to respond to Sign, the nonce set is inconsistent. The SWE must restart with a new PreSign. The CMK blind signature remains valid (its expiry is typically 30-90 seconds) and does not need to be recomputed.

CMK blind signature expired. If the CMK authentication token's expiry has elapsed before the Sign call reaches CVK ORKs, verification fails. The SWE must re-authenticate via the CMK ceremony (or the stored authentication variant if within the remember-me window).

CVK record not found. If no CVK record exists for this VUID, the SWE initiates a CVK registration flow - a separate protocol that creates CVK shares via DKG and distributes them across the CVK ORK swarm.

Notation Reference

Notation inherited from the CMK sub-protocols (Protocol: PRISM, Protocol: Double-Blind TSS) is not restated. CVK-specific notation:

Symbol	Description
$\mathit{CVK}$ , $\mathit{CVK}_i$	User's Consumer Vendor Key (joint private key) / ORK $i$ 's Shamir share
$\mathit{gCVK}$	CVK public key: $G \cdot \mathit{CVK}$
$\mathit{VUID}$	Vendor User ID (derived during CMK authentication)
$\mathit{gCMKAuth}$	User's vendor-specific authentication public key (from CMK ceremony)
$(R, S)$	CMK blind signature (proof of authentication)
$m_{\text{auth}}$	CMK authentication token message (contains VUID, expiry, session key $K$ )
$(k, K)$	Vendor session key pair (non-extractable via WebCrypto, generated during CMK ceremony)
$\mathit{vSecORK}_i$ , $\mathit{vgORK}_i$	CVK ORK $i$ 's long-term private/public key
$\mathit{cvkR}_i[j]$ , $\mathit{gCVKR}_i[j]$	Per-ORK nonce scalar/point for signature slot $j$
$\mathit{gCVKR}[j]$	Aggregate nonce for slot $j$ : $\sum \mathit{gCVKR}_i[j]$
$m$	Number of signature slots required by the model
$\mathit{gVRK}$	TideCloak's ephemeral public key (for encrypting payloads to TideCloak)
$L_i$	Lagrange coefficient for CVK ORK $i$
$\textsf{ENC}_{A}(B)$	X25519-based El-Gamal encryption of message $B$ with public key $A$
$\textsf{AES\_ENC}_{a}(B)$	AES256 encryption of message $B$ with key $a$
$\textsf{AES\_DEC}_{a}(B)$	AES256 decryption of message $B$ with key $a$

Actors & Trust Assumptions

Actor	Role	Trust Assumption
Secure Web Enclave	Orchestrates the CVK ceremony after CMK authentication. Aggregates CVK partial signatures.	Potentially adversarial. A malicious SWE that has completed CMK auth can only produce CVK signatures for its own VUID - it cannot sign on behalf of other users or other vendors.
Home ORK	Returns CVK swarm roster for the given VUID.	No elevated trust. Compromised home ORK can return stale roster.
CVK ORK Swarm (20 nodes)	Independently operated nodes holding CVK shares for this user-vendor pair. Verify CMK proof before signing.	Up to 13 may be malicious. Separate swarm from CMK ORKs - different nodes, different operators, different key material.
Vendor	Receives CVK-signed payloads. Aggregates partial signatures. Establishes user session with CVK authority.	Holds $\mathit{gCVK}$ (public), $\mathit{VUID}$ , $\mathit{gVRK}$ (ephemeral). Never possesses CVK private key.
Settlement Layer	Funds CVK ORK operations via one-time voucher.	Binds operation to paying vendor.

Layer Traversal

Layer	How CVK Activation Engages It
Legitimacy	Voucher validates each CVK ORK call. ECDH between $K$ and $\mathit{vgORK}_i$ qualifies the channel.
Authority	Each CVK ORK retrieves its CVK share $\mathit{CVK}_i$ - undifferentiated key material.
Agency	The standard threshold Ed25519 partial signature is the purpose-specific operation. The CMK blind signature verification is the authentication gate.
Settlement	Voucher funds participation, binds operation to vendor, ensures the CVK operation was authorized by the correct payer.

Security Properties

Property	Mechanism	Assumption
CMK authentication required	CVK ORKs independently verify CMK blind signature $(R, S)$ against stored $\mathit{gCMKAuth}$ before signing	Specialized BEd255475 curve hardness
No CVK private key materialization	CVK Shamir-shared across 20 independent ORKs; joint key reconstructed only as implicit sum within partial signatures	Threshold assumption ( $< t$ compromised)
Session binding	ECDH channel uses vendor session key $K$ (non-extractable); CVK session JWT embeds $K$ as session proof	WebCrypto API integrity
CMK proof non-transferable	Authentication token $m_{\text{auth}}$ contains vendor session key $K$ , VUID, and expiry; CVK ORKs verify VUID and $\mathit{gCMKAuth}$ match stored values	Token construction integrity
Model commitment	Model name committed during PreSign, cached server-side; Sign call cannot alter the model or request additional signature slots	Cache integrity
Model rule enforcement	Each CVK ORK independently validates model-specific rules before signing; a malicious SWE cannot bypass policy	Threshold: majority of ORKs enforce rules honestly
Cross-vendor isolation	CVK shares are per-vendor (distinct from CMK shares); CVK ORKs store only data for their vendor's users	Structural property
Separate trust domain	CVK ORK swarm is operationally independent from CMK ORK swarm - different nodes, different operators, different key material	Swarm assignment protocol
Replay resistance	Nonce cache entries destroyed on use; CMK proof has bounded expiry	ORK cache discipline
14-of-20 fault/security tolerance	Same threshold properties as CMK: 6 may be offline, 13 may be malicious	Threshold assumption

Comparison: CVK vs VVK

Both CVK and VVK produce threshold Schnorr signatures via ORK swarms. The distinction is in authority scope:

Property	VVK (Organization)	CVK (User)
Key scope	One key per vendor/organization	One key per user-vendor pair
Authority model	Shared organizational authority, differentiated by RBAC	Individual user authority
Authentication gate	TideCloak presents authorization proof	CMK blind signature
Typical uses	JWT signing, RBAC enforcement, org-managed E2EE	Identity wallets, crypto wallets, SSH certs, personal signatures
Who initiates	TideCloak IAM (server-side)	User SWE (client-side)
Signing style	Standard threshold Schnorr	Standard threshold Schnorr

Some platforms use both: VVK for organizational access control and CVK for personal wallet capabilities, authenticated through the same CMK ceremony.

Call Summary

Call	Direction	Payload	State Change
PreSignCVK	SWE → all $n$ CVK ORKs	Send: $\mathit{VUID}$ , $K$ , $\mathit{modelName}$ , $\mathit{gVRK}$ +sig, $\mathit{gVVK}$ , voucher. Receive: encrypted nonces $\mathit{gCVKR}_i[1..m]$	ORK creates cache entry $(\mathit{VUID}, K)$
SignCVK	SWE → $I$ participating ORKs	Send: $\mathit{VUID}$ , CMK proof $(R, S, \mathit{gCMKAuth}, m_{\text{auth}})$ , $\{\mathit{gCVKR}[j]\}$ , $\mathit{ORKsBitwise}$ , $\mathit{modelData}$ . Receive: encrypted partial signatures $\{\mathit{CVKs}_i[j]\}$	ORK destroys cache entry

Between calls, the SWE decrypts nonces, aggregates per slot, and constructs message(s). No network communication occurs.

References

Komlo, C. & Goldberg, I. (2020). FROST: Flexible Round-Optimized Schnorr Threshold Signatures. SAC 2020.
Hall, J. L., Hertzog, Y., et al. (2023). Manifesting Unobtainable Secrets: Threshold Elliptic Curve Key Generation using Nested Shamir Secret Sharing. arXiv:2309.00915. Presented at AustMS 2021.
RFC 9449 - OAuth 2.0 Demonstrating Proof of Possession (DPoP). IETF, 2023.
Tide Developer Documentation: docs.tidecloak.com