Introduction
Article 1: The Authority Problem presents the evidence: every major breach of the last decade traces to a singular, complete authority artifact whose compromise collapses the entire trust model. The prescribed countermeasures (e.g. defense-in-depth, Zero Trust, HSMs, compliance frameworks) protect the artifact without questioning whether it needs to exist.
Ineffable Cryptography encompasses Tide's suite of primitives and protocols that allow cryptographic keys to be generated, operated, and governed in distributed pieces, never materializing as complete artifacts at any point in their lifecycle. The term "ineffable" is literal. The keys cannot be expressed, cannot be spoken, cannot be brought into existence as complete objects. But more than the keys are ineffable, the authority over them is equally inexpressible as any singular, extractable thing.
The Tide Cybersecurity Fabric implements Ineffable Cryptography as a decentralized network infrastructure of independently operated nodes where:
No single entity, not any node, not any administrator, not Tide itself, ever possesses enough information or control to validate a credential, sign a token, forge an identity, decrypt sensitive data, or unilaterally alter the rules. These are not the only operations the Fabric secures, but they illustrate the scope: any action that traditionally required a complete authority artifact is instead computed ephemerally across the network.
Tide's Cybersecurity Fabric, made possible with Ineffable Cryptography, allows the realization of the Cyber Immunity model: Rather than expecting that breaches can be prevented, systems are rearchitected so that authority is kept beyond the direct reach of any system or operator, ensuring that inevitable breaches cannot escalate into catastrophic damage.
The model is the foundation upon which all subsequent protocols and ceremonies in this series are built.
Authority Dissolution, Not Key Dissolution
The term "key dissolution" - fragmenting a key so it never exists as a complete artifact - accurately describes one property of the Tide architecture, but it is dangerously incomplete as a description of the innovation. Key sharding through Multi-Party Computation (MPC) is not novel. Custodial MPC solutions already distribute key material across multiple nodes and compute signatures without assembling the key. What they do not dissolve is authority over the key. A sharded key still has a single administrator who can direct its use, a single policy engine that decides when it acts, and a single governance model that determines who can change its behavior. The attack surface migrates from the key to its control plane.
Tide dissolves authority itself across four independent surfaces, each of which eliminates a distinct class of singular control:
Loading diagram...
FIGURE 3: The Four Surfaces of Authority Dissolution
Storage. Keys are never generated as whole entities and then split. Instead, they are born natively as distributed mathematical fragments across an independent network of nodes via Distributed Key Generation (DKG). The complete key never materializes - not at generation, not during any operation, not at any point in its lifecycle.
Use. Every cryptographic operation - signing, decryption, authentication - is executed via threshold MPC across independently operated nodes. No single node ever processes the complete key or sees the full output, or purpose of the operation.
Governance. Any change to a key's properties, behavior, or policy requires a quorum of administrators to consent. That consent is not a software policy check. It is a set of cryptographically signed attestations from each administrator, guaranteeing that each specific administrator consented to that specific change. The complete consent package is transmitted to all nodes in the key's swarm and independently verified before any change is applied. No single administrator, and no single organization, can unilaterally alter the rules governing a key.
Policy Logic. Beyond governance rules, the decision-making process that precedes an MPC operation is itself decentralized. Tide's Forseti engine allows a key owner (the quorum of administrators) to design, program, and deploy programmable policies governing when and how a key acts. These policies execute across all swarm nodes in parallel - the policy evaluation surface is as distributed as the key itself. (See Article 6: Authority in Action for the full Forseti construction.)
The Core Invariant: Authority is dissolved across four independent surfaces.
No key ever exists in complete form (storage).
No single node can exercise its effect (use).
No single administrator can alter its rules (governance).
No centralized engine decides when it acts (policy logic).
Authority is strictly an emergent property of live, threshold-enforced cryptographic ceremonies - and no singular surface of control remains.
Does this extend to Tide itself? Yes. Tide Foundation Ltd is a nonprofit organization established for open governance of the Tide Cybersecurity Fabric. The same cryptographic quorum mechanisms that bind administrators bind Tide. Tide cannot unilaterally direct operations on a user's Consumer Master Key (CMK), their Consumer Vendor Key (CVK) or a Vendor's Verifiable Key (VVK). The protocol enforces this constraint at the cryptographic layer, not the policy layer.
The Tide Cybersecurity Fabric and the Node Architecture
The Tide Cybersecurity Fabric is a decentralized, permissionless infrastructure - not a vendor-operated cluster, a proprietary cloud region, or a replicated database. It is an operational network of Orchestrated Recluders of Keys (ORKs).
An ORK is an independently operated node that stores key shards and participates in threshold cryptographic operations. The network currently consists of over 50 nodes, designed for unlimited horizontal scaling. Each user or organizational key set is distributed across a different swarm of 20 ORK nodes, operating at a 14-of-20 threshold.
This threshold delivers two simultaneous guarantees: up to 6 nodes can be offline without degrading key availability (fault tolerance), while up to 13 nodes can be compromised or actively colluding without breaking the key's security (security tolerance). Each node in a swarm is operated by a different organization, on independent infrastructure, geographically dispersed, and bound by staking-enforced Service Level Agreements (SLA). An attacker attempting to forge a token must simultaneously breach 14 distinct organizations - 14 different security perimeters and infrastructure configurations - within the execution window of a single transient ceremony.
The Four-Layer Architecture
The Fabric is structured around four abstraction layers: Legitimacy, Authority, Agency, and Settlement. These are abstraction levels that protocols traverse, not functional silos that protocols live in. Every consumable capability - authentication, token signing, decryption, governance enforcement - traverses all four layers in a single, cohesive operation.
text
┌──────────────────────────────────────────────────────────┐
│ CONSUMING CLIENT / CONTEXT │
│ (Secure Web Enclave, TideCloak, Asgard, Authenticator) │
└─────────────────────────┬────────────────────────────────┘
│ Authority Request
▼
┌──────────────────────────────────────────────────────────┐
│ TIDE CYBERSECURITY FABRIC (Distributed ORK Network) │
│ │
│ ┌────────────────────────────────────────────────────┐ │
│ │ 1. LEGITIMACY LAYER │ │
│ │ Validates request, establishes ECDH session │ │
│ └──────────────────────┬─────────────────────────────┘ │
│ │ Validated Request │
│ ▼ │
│ ┌────────────────────────────────────────────────────┐ │
│ │ 2. AUTHORITY LAYER │ │
│ │ Locates agnostic Shamir shards (CMK/VVK/CVK) │ │
│ │ Enforces quorum governance + Forseti policy │ │
│ └──────────────────────┬─────────────────────────────┘ │
│ │ Key Material + Policy Cleared │
│ ▼ │
│ ┌────────────────────────────────────────────────────┐ │
│ │ 3. AGENCY LAYER │ │
│ │ Executes purpose-specific MPC (PRISM, TSS, ...) │ │
│ └──────────────────────┬─────────────────────────────┘ │
│ │ Cryptographic Product │
│ ▼ │
│ ┌────────────────────────────────────────────────────┐ │
│ │ 4. SETTLEMENT LAYER (Orthogonal) │ │
│ │ Binds operation to payer scope, funds ORKs │ │
│ └────────────────────────────────────────────────────┘ │
└─────────────────────────┬────────────────────────────────┘
│ Ephemeral Result
▼
┌──────────────────────────────────────────────────────────┐
│ AUTHORITY MANIFESTED │
│ (Authenticated Session, Signed JWT, Decrypted Data) │
└──────────────────────────────────────────────────────────┘FIGURE 4: The Fabric's Four-Layer Architecture
1. The Legitimacy Layer
The Legitimacy Layer is the cryptographic gateway of the Fabric. Before any ORK retrieves a key shard, this layer answers two questions: Who is asking? and Are they allowed to do this now?
Requests originate from consuming clients: the verifiable Secure Web Enclave (browser), TideCloak (Identity and Access Management), Asgard SDK (backend integration), or the Tide Authenticator app. The layer qualifies connections by establishing an ECDH session (channel security independent of TLS), verifying the request's authorization with the likes of the Vendor Random Keys (VRK) or a Doken (delegation token). Unauthorized or malformed requests are intercepted at the perimeter, protecting authority material from being probed or the ORK infrastructure from resource exhaustion.
2. The Authority Layer
The Authority Layer is the authority lifecycle engine. It governs the generation, maintenance, healing, rotation, and disposal of cryptographic shards - the full lifecycle detailed in Article 3: The Ineffable Key Lifecycle.
This layer determines what authority exists within the Fabric, but possesses no knowledge of who this authority belongs to or what that authority does. When an ORK retrieves a shard, it knows only that it holds a valid fragment associated with an identifier. It does not know whether the fragment represents a user's identity, an organization's signing key, or a personal wallet.
The Authority Layer also enforces quorum governance and Forseti policy evaluation. Before any operation proceeds to the Agency Layer, the Authority Layer verifies that the required administrative consents are present and that the programmatic policy conditions are satisfied - both evaluated independently by each ORK in the swarm.
3. The Agency Layer
The Agency Layer is where authority becomes action. While the Authority Layer manages the existence of key shards and validates the governance and policy preconditions, the Agency Layer executes the MPC protocols that give those shards purpose.
Each ORK node collaboratively computes a specific cryptographic function dictated by the client's context - a decentralized evaluation for password verification, a partial threshold signature for token issuance, a threshold decryption for E2EE. Nodes perform these computations blindly: no node learns the meaning of the input, the complete key, or the final output. The specific mechanisms are detailed in Article 6: Authority in Action.
4. The Settlement Layer
The Settlement Layer operates orthogonally to the other three, serving a dual function that is architecturally load-bearing.
First, it provides the economic substrate: a voucher system that remunerates independent ORK operators without centralized billing.
Second, it introduces a cross-cutting security dimension: payer-to-asset binding. Using a novel blind double-signer signature scheme, the Settlement Layer guarantees that an operation funded by a specific organization can only produce tokens bound to that organization's cryptographic scope. A malicious actor attempting to forge tokens for Vendor A using vouchers purchased by Vendor B generates identities that are mathematically isolated to Vendor B's environment. The full construction is detailed in Article 8: The Settlement Layer.
Key-Type Agnosticism as a Security Property
The Authority Layer manages all key populations uniformly. But the Authority Layer does not know which is which - and this is a deliberate security property, not an implementation convenience.
When generating a shard, healing a shard, or participating in key rotation, each ORK operates on an undifferentiated mathematical point. Its database stores an identifier, a timestamp, an ECDH session binding, and a Shamir shard. It stores no metadata indicating whether the shard will authenticate a user, sign an enterprise JWT, or decrypt a private message.
-
Consumer Master Key (CMK) - The user's root identity key across the Tide network. Distributed across a user-specific ORK swarm, used during authentication to prove identity and derive vendor-specific unlinkable identifiers. The CMK is purely an identity anchor; it does not directly sign application-level tokens.
-
Vendor Verifiable Key (VVK) - The organization's signing and encryption key. Sharded across a dedicated vendor ORK swarm, used for JWT signing, governance enforcement, and role-based authority actions. The vendor uses the VVK's authority daily but never possesses the private key.
-
Consumer Vendor Key (CVK) - A user-specific personal key within a particular vendor's context. Functions as a sovereign personal wallet - securing individual credentials, digital assets, or private communications that the vendor cannot access.
This key-type agnosticism is a load-bearing security property. If ORKs held metadata tagging a shard as "VVK for Enterprise X" or "CMK for User Y," that metadata would be an attack surface: compromised nodes could be queried specifically for high-value key populations. Key-type agnosticism ensures shards are semantically meaningless to the nodes holding them. The consuming client at the Agency Layer provides the context that turns an agnostic shard into a specific authority action.
The Authority / Agency Boundary
This agnosticism is made possible by a precise architectural boundary. The Authority Layer governs existence - it manages the lifecycle and verifies an identifier is associated with every valid shard that exists.* The Agency Layer governs effect - it determines what cryptographic operation a shard participates in. An ORK at the Authority Layer retrieves its shard; the consuming protocol at the Agency Layer (BYOiD authentication, threshold decryption, JWT signing) instructs the ORK on which operation to perform. The ORK executes blindly and returns a partial result. The meaning of the key exists only in the ephemeral execution of the Agency Layer protocol. (See Article 4: BYOiD, Article 5: Governance Without God Mode, and Article 6: Authority in Action for how the Agency Layer exercises authority.)
The Two Operational Paths
The output of BYOiD authentication - a verified, vendor-specific identity (detailed in Article 4: BYOiD) - serves as the gateway into one or both of two operational models:
-
VVK-Only (Organization-Centric). The user gains role-based access to operations performed under the organization's VVK. There is no per-user cryptographic key for operational tasks. All users share access to a single organizational authority key, differentiated by RBAC policy. The VVK itself remains threshold-distributed - no entity holds it.
-
CVK (User-Sovereign). The user performs a secondary authentication against a separate CVK ORK swarm, gaining session control over their personal key. The CMK authentication provides the gate (identity verification); the CVK session provides the authority (sovereign control over personal assets, credentials, or encrypted communications).
Many platforms will implement both simultaneously - VVK for corporate operations, CVK for user-sovereign data within the same environment.
The Primitive Suite
The Fabric relies on four cryptographic constructions, each designed for the specific requirements of authority dissolution and subjected to academic peer review.
| Primitive | Purpose | Key Property | Reference |
|---|---|---|---|
| Nested Shamir Secret Sharing | Distributed Key Generation - keys born as fragments, no dealer required | Complete key never materializes at any stage of generation | Hall, J. L., Hertzog, Y., et al., 2023. arXiv:2309.00915 |
| PRISM (Threshold OPRF) | Credential verification distributed across the ORK swarm | Offline brute-force structurally impossible - verification function cannot exist outside the live network | Wang, F., Hertzog, Y., et al., 2023. Springer. DOI:10.1007/978-3-031-41181-6_19 |
| Double-Blind Threshold Signature Scheme | Vendor-specific unlinkable identity derivation with two-sided blinding | Neither signing nodes nor verifying party learns the other's key; operates on twisted Edwards curve (BEd255475) | Pending joint publication, RMIT University |
| Proxy Reencrypted Threshold Signature Scheme | Key operations performed on behalf of a holder without proxy accessing the key | Enables blind authority delegation without key exposure | Construction details forthcoming |
These are not off-the-shelf implementations. Each was built for authority dissolution and has been (or is being) subjected to independent academic review.
Taxonomy of Authority Actions
A defining property of the architecture is that all of the following capabilities are different mathematical expressions traversing the same four layers, using the same ORK infrastructure, benefiting from the same authority dissolution. The model is one thing; its applications are many.
| Authority Action | Primary Primitive | Layer Traversal | Target Key Population |
|---|---|---|---|
| Authentication | PRISM + Double-Blind TSS | Legitimacy → Agency | CMK |
| Token Signing | Threshold Signature Scheme | Legitimacy → Authority → Agency | VVK |
| Decryption (E2EE) | Threshold ElGamal / Proxy TSS | Legitimacy → Authority → Agency | VVK or CVK |
| Delegation | Proxy Reencrypted TSS | Authority → Agency | VVK or CVK |
| Governance | Quorum Consent (signed + blind-signed proofs) | Authority (quorum validation) | VVK |
| Policy Evaluation | Forseti Distributed Engine | Authority (parallel execution across swarm) | All key types |
| Randomness | Nested SSS | Authority | Distributed Entropy |
Settlement runs orthogonally across all actions, binding each to its payer scope.
Further Reading
- Article 3: The Ineffable Key Lifecycle - How keys are generated, maintained, healed, and destroyed without assembly.
- Article 4: BYOiD - The CMK authentication ceremony: PRISM and Double-Blind TSS traversing the model.
- Article 5: Governance Without God Mode - Quorum-enforced authorization, cryptographic consent, delegation, and recovery.
- Article 6: Authority in Action - Threshold operations, Forseti policy engine, and blind delegation at the Agency Layer.
- Article 7: Client Architecture - The SRI-verifiable Secure Web Enclave, session binding, and consuming client trust model.
- Article 8: The Settlement Layer - The blind double-signer cryptosystem and zero-knowledge accountability model.
- Article 9: Threat Model - Composite security, collusion thresholds, bidirectional identity isolation, and post-quantum posture.
- Article 10: TideCloak - Developer experience, OIDC compatibility, and enterprise IAM integration.
For protocol-level specifications, the Protocol articles herewith provide the detailed ceremony flows that implement this model.
References
- Hall, J. L., Hertzog, Y., et al. (2023). Manifesting Unobtainable Secrets: Threshold Elliptic Curve Key Generation using Nested Shamir Secret Sharing. arXiv:2309.00915. Presented at AustMS 2021.
- Wang, F., Hertzog, Y., et al. (2023). Towards Zero Trust Authentication in Critical Industrial Infrastructures with PRISM. ACNS 2023 Workshops, LNCS 13907. Springer, Cham.
- RFC 9497 - Oblivious Pseudorandom Functions (OPRFs) Using Prime-Order Groups. IETF, 2023.
- Tide Foundation. Tide Developer Documentation.