PRISM Password Change | Cyber Immunity Whitepaper

Overview

This document specifies the PRISM Password Change ceremony - the protocol for rotating a user's PRISM secret (the distributed cryptographic salt for password verification) without exposing the old password, the new password, or the complete PRISM secret to any single entity. Only the PRISM secret changes. The CMK, gCMK, VUID, gCMKAuth, and swarm membership are entirely untouched.

The protocol requires dual authorization: the user proves knowledge of the current password via the PRISM (Phase 1), and the CMK authorizes the state transition via an Accountable Group Signature (Phases 3/5). The ceremony reuses the Nested Shamir DKG construction from Protocol: Account Creation / KeyGen, scoped to PRISM only (numKeys = 1), with the existing swarm loaded from ORK local storage (mIdORK_ij = null).

Loading diagram...

Preconditions

Condition	Detail
User	Possesses current username, current password, and desired new password.
ORK swarm	Each ORK holds a committed record for this $uid$ containing: $CMK_i$ (unchanged), $gCMK$ (unchanged), $PRISM_i$ (to be replaced), $PRISMAuth_i$ (to be replaced). Established during Protocol: Account Creation / KeyGen.
Network	Home ORK reachable. At least $t$ (14) ORKs in the swarm available.

Protocol Flow

Phase 1: Authentication Preamble (ConvertPass)

Loading diagram...

The ConvertPass call is a partial BYOiD ceremony - the PRISM evaluation and self-request generation from Protocol: CMK Authentication, without the blind signature or JWT issuance. An ORK cannot distinguish this from a standard login preamble.

If the password is wrong, the interpolated gPassPRISM is incorrect, the derived verifiers fail, and encRequest_i decryption produces garbage. The Secure Web Enclave (SWE) cannot proceed.

Phases 2-3: PRISM DKG (UpdateShard + SetPRISM)

Loading diagram...

Key differences from Account Creation DKG: numKeys = 1 (PRISM only, CMK untouched). mIdORK_ij = null (swarm loaded from ORK local storage). Authorization via selfRequest_i (from ConvertPass) rather than reservation token.

Active vs. Passive ORKs: An ORK that participated in ConvertPass and holds a valid selfRequest_i is "active" - it contributes both PRISM shares and a partial group signature. An ORK that came online between Phases 1 and 2 (missing ConvertPass) is "passive" - it contributes PRISM shares to maintain threshold health but sets S_i = null and does not participate in the Accountable Group Signature. The ORKsBitwise array is updated during SetPRISM based on each peer's activeOrigin flag to reflect this distinction.

CMK authorizes the PRISM change. The group signature uses keyAuth = gCMK and each active ORK signs with mSecORK_i + CMK_i, not the PRISM shard. The old password proved identity (Phase 1); the CMK proves the swarm authorized the state transition.

The SWE executes a BYOiD SignIn() using the new password against the uncommitted PRISM state. Successful completion proves the new PRISM secret is correctly generated, the new per-ORK verifiers match the new password-PRISM product, and the unchanged CMK still processes blind signatures correctly.

If the test fails, uncommitted state times out and the old password remains in effect.

Phase 5: Commit

Loading diagram...

The mimDB (Mimir Database - The Fabric's synced repository) AddOrUpdateKeyMAP operation updates the existing record in the TWELVE-MAP directory with the new digest mDigest that encapsulates the updated state of the participating ORKs, new signature S, and new gR. The gCMK and swarm membership mIdORK[1..n] are persisted unchanged. Any ORK that missed the ceremony will detect a digest mismatch and initiate Protocol: Key Healing to retrieve its new PRISM shard from the SafeKeep records.

Loading diagram...

Algorithms

Algorithm 1

ConvertPass PRISM and Challenge Construction (per ORK )

Input:

\text{uid}

\text{gBlurPass}

gSessKeyPub

Output:

\text{gBlurPassPRISM}_i

\text{encRequest}_i

$\text{Retrieve } PRISM_i, PRISMAuth_i \text{ from local store for } \text{uid}$
$\text{gBlurPassPRISM}_i \leftarrow \text{gBlurPass} \cdot PRISM_i$ - PRISM evaluation
$\tau_i \leftarrow \textsf{epochTimeUTC}()$
$prkECDH_i \leftarrow \textsf{DH}(mSecORK_i,\ gSessKeyPub)$
$ext_i \leftarrow \textsf{randBetween}(0.5,\ 1.5)$
$AuthRequest \leftarrow (\text{uid},\ \text{"auth"},\ \tau_i + ext_i,\ gSessKeyPub)$
$selfRequest_i \leftarrow \textsf{AES\_ENC}_{aesKey_i}(AuthRequest)$ - inner peel: self-sealed
$prkRequest_i \leftarrow \textsf{AES\_ENC}_{prkECDH_i}(selfRequest_i)$ - middle peel: session-bound
$encRequest_i \leftarrow \textsf{AES\_ENC}_{PRISMAuth_i}(prkRequest_i\ \|\ \tau_i\ \|\ ext_i)$ - outer peel: password-proof
return $\text{gBlurPassPRISM}_i,\ encRequest_i$

Algorithm 2

PRISM UpdateShard (per ORK )

Input:

n, t, \{mIdORK_j\}_{j=1}^{n}

\text{gBlurNewPass}

selfRequest_i

Output:

\{YijCipher_j\}_{j \neq i}

encReply_i

$\textsf{If } selfRequest_i \text{ valid: } activeORK \leftarrow \textsf{true} \text{; else } activeORK \leftarrow \textsf{false}$
$ECDH_{ij} \leftarrow \textsf{DH}(mSecORK_i, mgORK_j) \quad \forall j \neq i$
$\tau_i \leftarrow \textsf{epochTimeUTC}()$
$PRISM'_i \overset{\$}{\gets}$ ℤ $_\ell$ - new random PRISM sub-secret
$\mathcal{A}^{P}_i \leftarrow \mathcal{G} \cdot PRISM'_i$
$(S^{P}_i, R^{P}_i) \leftarrow \textsf{EdDSASign}_{PRISM'_i}(\tau_i)$
$\sigma^{P}_{i \to j} \leftarrow \textsf{ShamirSplit}(PRISM'_i, t, n, \{mIdORK_j\}) \quad \forall j$
$gMultiplied_i \leftarrow \text{gBlurNewPass} \cdot PRISM'_i$
$YijCipher_j \leftarrow \textsf{AES\_ENC}_{ECDH_{ij}}(\text{uid}, \tau_i, \sigma^{P}_{i \to j}, \mathcal{A}^{P}_i, R^{P}_i, S^{P}_i, activeORK) \quad \forall j \neq i$
$\textsf{If } activeORK: r_i \overset{\$}{\gets}$ ℤ $_\ell,\ gR_i \leftarrow \mathcal{G} \cdot r_i \text{; else } r_i, gR_i \leftarrow \textsf{null}$
$encReply_i \leftarrow \textsf{ENC}_{gSessKeyPub}(gR_i, gMultiplied_i, \mathcal{A}^{P}_i, \tau_i)$
Cache state indexed by $gSessKeyPub$

Algorithm 3

PRISM Share Aggregation and Verification - SetPRISM (per ORK )

Input:

\{YijCipher_j\}_{j=1}^{I}

(from peers), cached state from UpdateShard
Output:

PRISMY_i

(final new PRISM share),

gPRISM

Retrieve and destroy cache entry for $gSessKeyPub$
$(\sigma^{P}_{j \to i}, \mathcal{A}^{P}_j, R^{P}_j, S^{P}_j, activeOrigin_j) \leftarrow \textsf{AES\_DEC}_{ECDH_{ij}}(YijCipher_j) \quad \forall j$
$\textsf{assert}(I \geq t)$
$ORKsBitwise \leftarrow \textsf{UpdateParticipatingORKs}(activeOrigin_{1..I})$
Verify timestamps: $|\tau_j - \textsf{median}(\tau_{1..I})| \leq 30\text{s} \quad \forall j$
$PRISMY_i \leftarrow \sum_{j=1}^{I} \sigma^{P}_{j \to i} + \sigma^{P}_{i \to i}$ - final new PRISM share
Schnorr verification:
- $\textsf{assert}\bigl(\mathcal{G} \cdot S^{P}_j \stackrel{?}{=} R^{P}_j + H(R^{P}_j, \mathcal{A}^{P}_j, \tau_j) \cdot \mathcal{A}^{P}_j\bigr) \quad \forall j$
- Failure → abort + SLA violation report
$gPRISM \leftarrow \sum_{j} \mathcal{A}^{P}_j$

Algorithm 4

Accountable Group Signature - RESET (per active ORK )

Input:

gCMK

CMK_i

mSecORK_i

r_i

gR

\text{uid}

gSessKeyPub

\{mIdORK_j\}

ORKsBitwise

Output:

S_i

(partial group signature) or

\textsf{null}

if passive

$\textsf{If not } activeORK: \textbf{ return } \textsf{null}$
$PermissionMessage \leftarrow (\text{uid},\ \text{"RESET"},\ gSessKeyPub,\ \tau + 30)$
$mDigest \leftarrow H(ORKsBitwise\ \|\ PermissionMessage)$
$mgORKs \leftarrow \sum_{j \in I} mgORK_j + mgORK_i$
$keyAuth \leftarrow gCMK$ - CMK authorizes the PRISM change
$S_i \leftarrow \textsf{partialSign}($
$\qquad \qquad \qquad gR,$ - Public nonce
$\qquad \qquad \qquad keyAuth + mgORKs,$ - Public key
$\qquad \qquad \qquad mDigest,$ - Digest of participating ORKs
$\qquad \qquad \qquad r_i,$ - Nonce secret
$\qquad \qquad \qquad mSecORK_i + CMK_i,$ - Secret signing key
$\qquad \qquad \qquad \{mIdORK_j\},$ - List of participating ORK IDs
$\qquad \qquad \qquad ORKsBitwise$ - Bitwise array of participating ORKs
$\qquad \qquad \qquad )$
$encS_i \leftarrow \textsf{Enc}_{gSessKeyPub}(S_i)$

Verification:

AccountableKey \leftarrow gCMK + \sum mgORK_i

; assert

AccountableKey.\textsf{verifySig}(gR, S, mDigest)

where

S = \sum S_i

Algorithm 5

Notation Reference

Symbol	Description
$\mathcal{G}$	Generator point on Curve25519 / specialized twisted Edwards $BEd255475$ for double-blind signatures
$A \cdot b$	Scalar-point multiplication
$H(\cdot)$	SHA-256 unless stated otherwise
$\textsf{DH}(a, B)$	Diffie-Hellman: $B \cdot a$
$\textsf{H2P}(\cdot)$	Hash-to-point (Elligator 2 on Curve25519)
$\text{gBlurPass}$ , $\text{gBlurNewPass}$	Blinded password points
$r_1$ , $r_2$	Blinding scalars for old and new password respectively
$PRISM_i$	ORK $i$ 's current PRISM shard (to be replaced)
$PRISM'_i$	ORK $i$ 's new random PRISM sub-secret contribution
$PRISMY_i$	ORK $i$ 's final new PRISM share: $\sum \sigma^P_{j \to i} + \sigma^P_{i \to i}$
$PRISMAuth_i$	ORK $i$ 's current per-ORK PRISM verifier
$newPRISMAuth_i$	ORK $i$ 's new PRISM verifier: $\textsf{DH}(mSecORK_i, gNewPRISMAuth)$
$gPRISMAuth$	Current PRISM authentication base point
$gNewPRISMAuth$	New PRISM authentication base point: $\mathcal{G} \cdot H(\text{gNewPass} \cdot s')$
$CMK_i$	ORK $i$ 's CMK shard (unchanged throughout)
$gCMK$	User's CMK public key (unchanged throughout)
$mSecORK_i$ , $mgORK_i$	ORK $i$ 's long-term private/public key
$mDigest$	Current key's Accountable Group Signature digest of participating ORKS, as taken from the Home ORK's TWELVE-MAP response: $H(ORKsBitwise\ \\|\ PermissionMessage)$
$aesKey_i$	ORK $i$ 's symmetric key
$\textsf{AES\_ENC}_{a}(B)$	AES256 encryption of message $B$ with key $a$
$\textsf{ENC}_{A}(B)$	X25519-based El-Gamal encryption of message $B$ with public key $A$
$\textsf{DEC}_{a}(B)$	X25519-based El-Gamal decryption of message $B$ with private key $a$
$mIdORK_i$	ORK $i$ 's public identifier
$ECDH_{ij}$	Pairwise shared secret between ORKs $i$ and $j$
$gSessKeyPub$ ( $U$ )	SWE's session public key (non-extractable)
$selfRequest_i$	Per-ORK authorization token from ConvertPass
$activeORK$	Boolean: did this ORK participate in ConvertPass?
$n$ , $t$ , $I$	Swarm size (20), threshold (14), respondent count
$S$ , $S_i$	Aggregate / partial Accountable Group Signature
$gR$ , $gR_i$	Aggregate / partial signature nonce
$mDigest$	Digest: Current key's Accountable Group Signature digest of participating ORKS, as taken from the Home ORK's TWELVE-MAP response: $H(ORKsBitwise\ \\|\ PermissionMessage)$
$ORKsBitwise$	Bitwise array of ORKs that participated in the original ceremony

Actors and Trust Assumptions

Actor	Description	Trust Assumption
SWE	Browser cryptographic agent. Orchestrates ConvertPass, UpdateShard, SetPRISM, test sign-in, and Commit. Blinds both passwords.	Potentially adversarial. Cannot execute password change without current password (PRISM enforces).
Home ORK	Entry point. Provides swarm roster via the TWELVE-MAP lookup.	No elevated trust. Public metadata only.
CMK ORKs ( $n = 20$ )	Hold CMK and PRISM shares (and backup SafeKeep packages). Generate new PRISM sub-secrets, combine shares, derive new verifiers, produce partial group signatures (if active).	Up to 13 may collude. Each independently generates random PRISM contribution.
mimDB	Mimir Database - The Fabric's synced append-only repository. Stores updated key record. Independently verifies Accountable Group Signature.	Registry integrity.
TWELVE-MAP	Tide Wide Enumerated Ledger of Verifiable Entries - Mapping Authoritative Pointers is the self-verifying directory service on mimDB mapping key identifiers to ORK swarms.	Each entry includes a ZK proof attesting to its authenticity against the master registry.

Layer Traversal

Layer	How the Protocol Engages It
Legitimacy	ECDH session establishment. Voucher validation for ConvertPass and DKG calls.
Authority	Primary layer for Phases 2-5. New PRISM shares generated, distributed, combined, and stored via Nested Shamir DKG. Old PRISM shares replaced atomically at commit. CMK shares untouched.
Agency	Engaged in Phase 1. The PRISM evaluation ( $\text{gBlurPass} \cdot PRISM_i$ ) is a purpose-specific MPC operation - the PRISM share is used to verify the old password before the Authority Layer replaces it.
Settlement	Vouchers fund ConvertPass and DKG operations.

Security Properties

Property	Mechanism	Assumption
No password exposure (old)	Old password blinded as $\text{gBlurPass} = \text{gPass} \cdot r_1^{-1}$ . ORKs evaluate PRISM on blinded point.	Blinding scalar randomness
No password exposure (new)	New password blinded as $\text{gBlurNewPass} = \text{gNewPass} \cdot r_2^{-1}$ . ORKs multiply by $PRISM'_i$ on blinded point.	Blinding scalar randomness
CMK-based authorization	Group signature uses $keyAuth = gCMK$ and $CMK_i$ shards. Old password proves identity (Phase 1); CMK proves swarm authorization (Phase 3).	DLP hardness
PRISM isolation from CMK	`numKeys = 1` restricts DKG to PRISM. CMK shard, gCMK, VUID, gCMKAuth structurally unaffected.	-
Per-ORK verifier uniqueness	$newPRISMAuth_i = \textsf{DH}(mSecORK_i, gNewPRISMAuth)$ . Bound to ORK's private key. SWE never learns individual values.	DLP on Curve25519
ORK learns neither password	Old: sees $\text{gBlurPass}$ (blinded). New: sees $\text{gBlurNewPass}$ (blinded) and $gNewPRISMAuth$ (one-way hash). Cannot extract passwords or compare old vs. new.	DLP. Hash preimage resistance.
Active/passive ORK segregation	Only ORKs that verified old password (ConvertPass) participate in group signature. Passive ORKs contribute shares but not authorization.	-
Fraud detection	Schnorr proof verification on each ORK's PRISM contribution before share acceptance. Failure → abort + SLA report.	DLP hardness
Two-phase commit	Uncommitted state held until test sign-in succeeds and aggregate signature verified. Old PRISM remains authoritative until explicit commit. Auto-purge on timeout.	-
Threshold security tolerance	Up to 13 ORKs may collude without forging authorization or recovering the PRISM secret.	Threshold $t = 14$
Transport-independent security	Pairwise ECDH encryption between ORKs. Session ECDH between SWE and each ORK. No reliance on TLS.	ECDH + AES security
SafeKeep forward recovery	Absent ORKs' new PRISM shares encrypted under pairwise ECDH, signed, stored on each ORK's local database. Retrievable via Protocol: Key Healing.	AES-256. ORK key integrity.

Call Summary

Call	Direction	Purpose
`keyLookup`	SWE → Home ORK	Retrieve swarm roster and gCMK
`ConvertPass`	SWE → all $n$ ORKs	PRISM OPRF on blinded old password. Returns triple-encrypted selfRequest tokens.
`UpdateShard`	SWE → $I$ ORKs	PRISM DKG round 1. `numKeys=1`, `mIdORKij=null`, `gBlurNewPass` as multiplier, `selfRequest_i` as auth.
`SetPRISM`	SWE → $I$ ORKs	PRISM DKG round 2. Distribute peer shares, aggregate, verify Schnorr proofs, derive new verifiers, produce group signature (active ORKs). Store uncommitted.
`SignIn`	SWE → $I$ ORKs	Test authentication with new password against uncommitted state.
`Commit`	SWE → $I$ ORKs	Submit aggregate signature. Verify, transition Uncommitted → Committed, write to mimDB.

References

Hall, J. L., Hertzog, Y., et al. (2023). Manifesting Unobtainable Secrets: Threshold Elliptic Curve Key Generation using Nested Shamir Secret Sharing. arXiv:2309.00915. Presented at AustMS 2021.
Wang, F., Hertzog, Y., et al. (2023). Towards Zero Trust Authentication in Critical Industrial Infrastructures with PRISM. ACNS 2023 Workshops, LNCS 13907. Springer, Cham.
Tide Developer Documentation: docs.tidecloak.com

Overview

Preconditions

Protocol Flow

Phase 1: Authentication Preamble (ConvertPass)

Phases 2-3: PRISM DKG (UpdateShard + SetPRISM)

Phase 4: Test Sign-In

Phase 5: Commit

Algorithms

Algorithm 1

Algorithm 2

Algorithm 3

Algorithm 4

Algorithm 5

Notation Reference

Actors and Trust Assumptions

Layer Traversal

Security Properties

Call Summary

References