1
- 14-of-20 Threshold
- The execution threshold for key operations. Up to 6 nodes can be offline (fault tolerance) and up to 13 compromised without breaking key security (security tolerance).— The Model
A
- Agency Layer
- The execution layer where authority becomes action through purpose-specific MPC protocols (signing, decryption, and randomness generation) with ORKs operating blindly.— The Model
- Anonymous Voucher
- A compartmentalised micro-payment mechanism providing payment assurance without revealing payment flows. Every operation is voucher-gated to prevent fraud.— Settlement Layer
- Asgard
- The backend counterpart to the SWE: a Dealer Library crypto engine for server-side Fabric operations including JWT verification and backend encryption/decryption.— Client Architecture
- Authenticator App
- A mobile application providing device-bound passwordless login via DVK and biometrics. Eliminates the browser from the credential surface and cross-verifies sessions.— Client Architecture
- Authority Artifact
- Any digital object (a private key, credential database, or admin vault) that holds unilateral power to verify, sign, or grant access. The singular vulnerability that Tide eliminates.— Authority Problem
- Authority Dissolution
- The process of distributing authority across four independent surfaces (Storage, Use, Governance, Policy Logic) so that no single entity can validate credentials or sign tokens alone.— The Model
- Authority Layer
- The key lifecycle engine governing generation, maintenance, healing, rotation, and disposal of cryptographic shards. Enforces quorum governance and Forseti policy.— The Model
- Authorization Proof
- A VVK-signed attestation that a specific user-client pair is entitled to specific roles, scopes, and permissions. Stored in TideCloak, verified by VVK ORKs.— Governance
B
- BEd255475
- A non-standard twisted Edwards curve introduced for domain separation in the Double-Blind TSS, preventing a malicious SWE from weaponising ORKs as a signing oracle.— BYOiD
- Bidirectional Identity Isolation
- CMK ORKs have no metadata about vendors; VVK ORKs and vendors have no knowledge of CMK ORK assignments. Mutual privacy between identity surfaces.— Threat Model
- BRK (Browser Key)
- A persistent key generated by the SWE and stored in the browser. Used by the Authenticator App for cross-verification and device recognition without centralised device registration.— Client Architecture
- BYOiD (Bring Your Own Identity)
- Tide's authentication model that flips the traditional relationship: instead of users proving themselves to a service that holds their credentials, users bring their own cryptographic authority, which the platform can then use only in ways the legitimate user enables. Supports both password-based and passwordless (2FA) authentication. Eliminates credential stores and centralised signing keys, producing standard OIDC tokens through a distributed cryptographic ceremony on the Fabric.— BYOiD
C
- CMK (Consumer Master Key)
- A user's root identity key across the Tide network, distributed across a user-specific ORK swarm. Used during authentication to prove identity and derive vendor-specific identifiers.— The Model
- Credit Facility
- A vendor's prepaid monthly allocation of operational credits consumed per threshold operation.— Settlement Layer
- Cross-Vendor Unlinkability
- The guarantee that multiple vendors cannot collude to link a user's activities. Achieved via the Double-Blind TSS producing vendor-specific uncorrelatable identifiers.— Threat Model
- CVK (Consumer Vendor Key)
- A user-specific personal key within a particular vendor's context. Functions as a sovereign personal wallet for credentials, digital assets, or private communications.— BYOiD
- Cyber Immunity
- The security model advanced in this whitepaper series. Rather than expecting that breaches can be prevented, systems are rearchitected to keep authority out of the direct reach of any system, operator, or attacker, ensuring that inevitable compromises cannot escalate into catastrophic damage. Cyber Immunity is achieved by implementing Ineffable Cryptography through the Cybersecurity Fabric, decentralizing authority for digital resilience.— Authority Problem
D
- Decentralised Account Recovery
- Threshold-validated secondary authentication when a user loses their credentials. Each ORK independently sends a recovery credential; collecting a threshold of them regenerates access without materialising the key.— Key Lifecycle
- Distributed Key Generation (DKG)
- A protocol for generating cryptographic keys across multiple nodes without any single entity computing the complete key. Keys are born natively as distributed fragments.— Key Lifecycle
- Doken (Delegated Authority Token)
- A VVK-signed token distinct from a JWT, issued alongside the JWT during token exchange. Provides client-side proof of authority for Forseti policy evaluation.— Authority in Action
- Domain Separation
- A cryptographic technique ensuring signatures or values created for one context cannot be valid in a different context, preventing cross-context weaponisation.— BYOiD
- Double-Blind Threshold Signature Scheme
- A novel two-sided blinding construction enabling vendor-unlinkable identity derivation. Neither side of the signing process learns the message or the verification key.— BYOiD
- DVK (Device Key)
- A private key stored in a mobile device's secure element, used by the Authenticator App for device-bound biometric authentication.— Client Architecture
F
- Forseti
- A programmable distributed policy engine executing C# contracts on each ORK node in parallel. Enforces context-aware rules without centralised policy enforcement; policies must be quorum-approved.— Authority in Action
- Forseti Contract
- Deterministic C# code (identified by SHA-512 hash of its source) executed by each ORK. Follows a three-stage validation lifecycle: Data, Approvers, and Executor.— Authority in Action
- Four-Layer Architecture
- Tide's abstract traversal model: Legitimacy (request validation), Authority (key lifecycle), Agency (purpose-specific MPC execution), and Settlement (economic binding and payer isolation).— The Model
- FROST
- Flexible Round-Optimised Schnorr Threshold Signatures (FROST): an academically peer-reviewed threshold signature scheme providing efficient multi-round signature generation.— Governance
H
- Hermetic E2EE
- End-to-end encryption where cleartext exists only on the user's device. Uses threshold proxy re-encryption so that both the server and Fabric remain blind to plaintext.— Authority in Action
- Home ORK
- A specialised ORK role that provides roster lookups: given a user ID, it returns the composition of the user's ORK swarm.— Client Architecture
- Honest-Minority Assumption
- The irreducible trust assumption that no more than 13 of 20 ORKs in the same swarm are colluding. This is the security foundation of the 14-of-20 threshold.— Threat Model
I
- IGA (Identity Governance and Administration)
- The workflow for quorum-enforced governance changes including authorisation proofing, with a draft/approval/commit state machine.— Governance
- Ineffable Cryptography
- The name given to Tide's suite of cryptographic primitives and protocols, including Nested Shamir DKG, PRISM, the Double-Blind Threshold Signature Scheme, and Proxy Re-encrypted Threshold Signatures, that allow keys to be generated, operated, and governed in distributed pieces, never materializing as complete artifacts at any point in their lifecycle. Ineffable Cryptography is the enabling science. The Cybersecurity Fabric is the infrastructure that implements it.— The Model
K
- Key Healing
- A system-initiated process that restores degraded shard sets to full strength. Healthy ORKs collaboratively compute replacement shards via homomorphic properties without assembling the key.— Key Lifecycle
- Key-Type Agnosticism
- A security property where ORKs at the Authority Layer operate on undifferentiated mathematical points without metadata indicating whether a shard is CMK, VVK, or CVK.— The Model
- KeyleSSH
- An SSH key management application demonstrating threshold signing with Forseti policy enforcement. Eliminates SSH key theft and sprawl through distributed, ineffable signing.— Authority in Action
L
- Lagrange Interpolation
- A mathematical technique for reconstructing a polynomial from multiple points. Used for threshold aggregation of partial signatures and decryptions.— Authority in Action
- Legitimacy Layer
- The first architectural layer, validating who is asking and whether they are allowed. Establishes ECDH sessions and intercepts unauthorised or malformed requests.— The Model
N
- Nested Shamir Secret Sharing
- Tide's DKG mechanism where keys are born as distributed mathematical fragments across independent nodes with no dealer and no moment of assembly.— Key Lifecycle
O
- OPRF (Oblivious Pseudorandom Function)
- The base cryptographic primitive (formalised in RFC 9497) upon which PRISM is constructed. Allows a function to be evaluated without the evaluator learning the input.— BYOiD
- ORK (Orchestrated Recluder of Keys)
- An independently operated node on Tide's Cybersecurity Fabric. Each ORK stores key shards and participates in threshold cryptographic operations. ORKs are the nodes that comprise the Fabric, each run by a different organisation on independent infrastructure. The network is designed for unlimited horizontal scaling.— The Model
- ORK Swarm
- A set of 20 Fabric nodes holding distributed shards of a specific key. Each node in a swarm is operated by a different organisation. Operations require a 14-of-20 threshold for that key population.— The Model
P
- Payer ORK
- An economic clearinghouse role that validates vouchers in real-time, enforces credit balances, prevents replay, and issues redemption proofs. Operated by multiple independent parties.— Settlement Layer
- Payer-to-Asset Binding
- A cryptographic guarantee that operations funded by Vendor A can only produce tokens bound to Vendor A's scope, preventing token forgery via voucher misuse.— Settlement Layer
- PRISM
- Tide's zero-knowledge authentication protocol on the Cybersecurity Fabric. Uses a Threshold Oblivious Pseudorandom Function (TOPRF) for distributed password verification where no credential or verifiable artifact is stored anywhere. Supports both password-based and passwordless (2FA) authentication. The verification function exists only as an emergent property of the live Fabric.— BYOiD
- Proactive Secret Sharing
- Periodic refresh of all shards producing a completely new set mathematically incompatible with the old set, while the underlying master key remains unchanged.— Key Lifecycle
- Proxy Re-Encryption
- A cryptographic mechanism allowing partial decryption without the server ever accessing plaintext. Used in Hermetic E2EE to enable blind delegation.— Authority in Action
Q
- Quorum-Enforced Governance
- A system where administrative changes require cryptographic consensus of an administrator quorum. Changes are enforced by VVK threshold signatures, not software policies.— Governance
R
- Ragnarök Protocol
- The governance-gated off-boarding mechanism allowing an organisation to export its complete VVK and exit the Tide network under cryptographic quorum approval.— Key Lifecycle
- RGK (Ragnarök Generation Key)
- A distinct key generated alongside the VVK whose shards are held by quorum administrators. Used to encrypt VVK shards for off-boarding via the Ragnarök Protocol.— Key Lifecycle
S
- Secure Web Enclave (SWE)
- A verifiable JavaScript runtime operating as the user's cryptographic agent in the browser. Coordinates sMPC operations, verifies ZK proofs, and maintains non-extractable session keys. Sealed by SRI.— Client Architecture
- Settlement Layer
- The orthogonal economic substrate providing payer-to-asset binding and anonymous voucher remuneration without identifying operators or creating targeting opportunities.— Settlement Layer
- SRI (Subresource Integrity)
- A browser-native mechanism ensuring a downloaded script matches a pinned SHA-256 hash, preventing code injection or tampering during delivery.— Client Architecture
T
- Threshold Decryption
- Distributed decryption via threshold proxy re-encryption. ORKs compute partial decryptions blinded with the user's session key; the vendor aggregates obliviously.— Authority in Action
- Threshold Signature Scheme (TSS)
- A multi-party cryptographic protocol where partial signatures from multiple nodes are combined to produce a valid signature without any node possessing the complete signing key.— The Model
- Tide Cybersecurity Fabric
- The decentralized infrastructure that implements Ineffable Cryptography. A network of independently operated nodes (ORKs) that dissolves authority across storage, use, governance, and policy logic so that no person, server, vendor, or administrator ever directly possesses complete reusable authority. Authority emerges through the Fabric only during valid, policy-bound, quorum-backed operations. Together with Ineffable Cryptography, the Fabric enables the Cyber Immunity model.— The Model
- TideCloak
- A Keycloak-compatible Identity, Immunity and Access Management (IIAM) integration layer built on Tide's Cybersecurity Fabric. A drop-in for platform developers that routes requests to the Fabric but holds no cryptographic authority. Tide integrated through TideCloak solves security problems for the platform developer, and the immunity properties compound and benefit their end users.— TideCloak Integration
- TWELVE-MAP
- A self-verifying, Merkle-anchored directory mapping key IDs to ORK swarms. Used by the SWE to discover assigned ORK nodes without trusting a single directory operator.— Client Architecture
V
- VRK (Vendor Random Key)
- An ephemeral key pair generated by TideCloak for a single monthly billing cycle. Used to establish ECDH channels with VVK ORKs; rotated monthly to limit exposure.— Settlement Layer
- VRK Rotation
- Monthly generation of a fresh ephemeral payment key. Expires the previous key, limits the exposure window, and prevents behavioural profiling.— Settlement Layer
- VUID (Vendor User ID)
- A vendor-specific, mathematically uncorrelatable identifier derived per user-vendor combination. Prevents cross-vendor user tracking.— BYOiD
- VVK (Vendor Verifiable Key)
- An organisation's signing and encryption key, sharded across a dedicated vendor ORK swarm. Used for JWT signing, governance enforcement, and role-based authority actions.— The Model
Z
- Zero-Knowledge Proof (ZKP)
- A cryptographic technique that proves the validity of a statement without revealing any information about the statement itself.— Key Lifecycle