Account Creation / KeyGen | Cyber Immunity Whitepaper

Overview

This document specifies the Account Creation and Distributed Key Generation (DKG) ceremony - the registration protocol that establishes the preconditions for every subsequent operation in the Tide architecture. The ceremony generates a user's Consumer Master Key (CMK) and PRISM verification secret via Nested Shamir Secret Sharing (Hall, J. L., Hertzog, Y., et al., 2023), distributing them as Shamir shards across a 20-node ORK swarm with a 14-of-20 threshold. There is no trusted dealer. At no point does any entity compute, possess, or transmit the complete CMK or PRISM secret.

The protocol executes in eight phases across two sequential DKG calls (GenShard, SetShard), a test authentication, a vendor IAM registration, and a two-phase commit to the mimDB (Mimir Database - The Fabric's synced repository). The resulting Accountable Group Signature proves correct generation without revealing secret material.

While this article focuses on CMK and PRISM generation during user self-registration, the identical Nested Shamir DKG construction generates VVK and CVK keys. The Authority Layer manages all resulting shards with strict key-type agnosticism.

Loading diagram...

Preconditions

Condition	Detail
User	Has initiated a login/registration request from the vendor application. Provides username, password, and recovery email addresses.
TideCloak	Possesses a valid `gVVK`, a valid `VRK` (for current payment cycle), and `SignedSettings` (registration policies, callback URLs, self-registration option, Ragnarok option) signed by `gVVK`.
Fabric	Sufficient healthy, staked ORK nodes available to form a 20-node swarm. mimDB (Mimir Database - The Fabric's synced repository) registry operational.
ORK nodes	Each possesses pre-established private keys `aesKey_i`, `mSecORK_i`, and `mgORK_i`.

Protocol Flow

Phase 0: OIDC Redirect and SWE Initialization

The vendor site requests an OIDC authorization code. TideCloak generates a voucher via VRK and redirects to a preferred Home-ORK, which serves the Secure Web Enclave (SWE). The SWE verifies SignedSettings are signed by gVVK.

The user provides their username and password. The SWE computes

\text{uid} \leftarrow H(\text{username})

and generates a non-extractable session key pair

(u, U)

via WebCrypto (extractable: false).

Phase 1: Username Reservation

Loading diagram...

The proximity-based ordering

(\text{SHA256-HMAC}(mIdORK_i, \text{uid}), \text{ascending})

is deterministic and globally consistent. The SWE selects the reservation with the lowest proximity score (most proximate) as the authorization token (auth) for subsequent phases. Reservations are valid for 30 seconds.

Phase 2: Distributed Key Generation - GenShard

Loading diagram...

The SWE sends a single blinded multiplier gBlurPass - the password-derived point obfuscated by a random scalar

j

. Each ORK applies (TOPRF) its PRISM sub-secret to this blinded point, enabling the SWE to derive the aggregate PRISM verifier base gPRISMAuth without any ORK learning the password.

Note on identity derivation: The vendor-specific identity (VUID, gCMKAuth) is not derived during key generation. These values are produced during the test round (Phase 4) via the voucher-based identity recovery mechanism specified in Protocol: CMK Authentication. This architectural separation ensures that identity binding is coupled to the authentication ceremony, not to key generation - making the DKG construction purely key-type agnostic.

Phase 3: Distributed Key Generation - SetShard

Loading diagram...

Each ORK's final shards (CMKY, PRISMY) are the sums of all received peer sub-shards plus its own retained sub-shard. The complete CMK and PRISM secrets were never computed by any entity.

For ORKs that did not respond during GenShard, participating ORKs package their intended shards as SafeKeep records - encrypted under the pairwise ECDH key with the absent ORK's public key. These records are written during Commit and enable future shard retrieval via Protocol: Key Healing.

Phase 4: Test round

The SWE executes a full BYOiD authentication ceremony (as specified in Protocol: CMK Authentication) of the uncommitted state records. This serves two purposes:

Functional verification. The PRISM evaluation and double-blind threshold signature prove the DKG output is mathematically sound end-to-end.
Identity derivation. The BYOiD ceremony's voucher-based identity recovery produces gUserCMK - the user's anonymised CMK public key projected through the vendor's identity space. From this, the SWE derives VUID (vendor-specific user identifier) and gCMKAuth (vendor-specific user authentication public key) as specified in the CMK Authentication protocol (Steps 2.2-2.3). These values are required for Phase 6.

Phase 5: Commit

Loading diagram...

The mimDB independently verifies the Accountable Group Signature before accepting the write. Any party can subsequently audit the mimDB to verify that generation was performed correctly by the declared swarm, without access to private key material.

Loading diagram...

Phase 6: IAM Registration

The TideCloak adapter on the vendor's callback URL registers the user with the TideCloak's instance, providing VUID and gCMKAuth derived in Phase 4. TideCloak creates the user profile and assigns default roles. TideCloak forwards the role assignments to the VVK ORK swarm, which validates the user's blind signature, confirms registration policies, and certifies the user by producing a threshold signature over the assignment proof. A resulting PKCE verifies the full chain.

Phase 7: OIDC Completion

The vendor exchanges the code generated in Phase 6 for the final JWT.

Algorithms

Algorithm 1

Algorithm 1: Nested Shamir DKG - GenShard (per ORK )

Input:

n, t, \{mIdORK_j\}_{j=1}^{n}, \text{gBlurPass}, gSessKeyPub

Output:

\{YijCipher_j\}_{j \neq i}

encReply_i

(encrypted partial results for SWE)

$ECDH_{ij} \leftarrow \textsf{DH}(mSecORK_i, mgORK_j) \quad \forall j \neq i$ - Pairwise secure channels
$\tau_i \leftarrow \textsf{epochTimeUTC}()$
CMK sub-secret:
- $CMK_i \overset{\$}{\gets}$ ℤ $_\ell$
- $\mathcal{A}^{CMK}_i \leftarrow \mathcal{G} \cdot CMK_i$
- $(S^{CMK}_i, R^{CMK}_i) \leftarrow \textsf{EdDSASign}_{CMK_i}(\tau_i)$
- $\sigma^{CMK}_{i \to j} \leftarrow \textsf{ShamirSplit}(CMK_i, t, n, \{mIdORK_j\}) \quad \forall j$
PRISM sub-secret: (identical construction)
- $PRISM_i \overset{\$}{\gets}$ ℤ $_\ell$
- $\mathcal{A}^{PRISM}_i \leftarrow \mathcal{G} \cdot PRISM_i$
- $(S^{PRISM}_i, R^{PRISM}_i) \leftarrow \textsf{EdDSASign}_{PRISM_i}(\tau_i)$
- $\sigma^{PRISM}_{i \to j} \leftarrow \textsf{ShamirSplit}(PRISM_i, t, n, \{mIdORK_j\}) \quad \forall j$
Blinded multiplication: $gMultiplied_i \leftarrow \text{gBlurPass} \cdot PRISM_i$
Encrypt peer shards: $YijCipher_j \leftarrow \textsf{AES\_ENC}_{ECDH_{ij}}(\text{uid}, \tau_i, \sigma^{CMK}_{i \to j}, \sigma^{PRISM}_{i \to j}, \mathcal{A}^{CMK}_i, \mathcal{A}^{PRISM}_i, R^{CMK}_i, R^{PRISM}_i, S^{CMK}_i, S^{PRISM}_i)$
Signature nonce: $r_i \overset{\$}{\gets}$ ℤ $_\ell, gR_i \leftarrow \mathcal{G} \cdot r_i$
Encrypt reply: $encReply_i \leftarrow \textsf{Enc}_{gSessKeyPub}(gR_i, gMultiplied_i, \mathcal{A}^{CMK}_i, \tau_i)$
Cache state indexed by $gSessKeyPub$

Algorithm 2

Algorithm 2: Shard Aggregation and Verification - SetShard (per ORK )

Input:

\{YijCipher_j\}_{j=1}^{I}

(from

I

peers), cached state from GenShard
Output:

CMKY_i

(final CMK shard),

PRISMY_i

(final PRISM shard),

gCMK

gPRISM

Retrieve and destroy cache entry for $gSessKeyPub$
$(\sigma^{CMK}_{j \to i}, \sigma^{PRISM}_{j \to i}, \mathcal{A}^{CMK}_j, \mathcal{A}^{PRISM}_j, \ldots) \leftarrow \textsf{AES\_DEC}_{ECDH_{ij}}(YijCipher_j) \quad \forall j$
$\textsf{assert}(I \geq t)$
Verify timestamps: $|\tau_j - \textsf{median}(\tau_{1..I})| \leq 30\text{s} \quad \forall j$
Aggregate CMK shards: $CMKY_i \leftarrow \sum_{j=1}^{I} \sigma^{CMK}_{j \to i} + \sigma^{CMK}_{i \to i}$
Aggregate PRISM shards: $PRISMY_i \leftarrow \sum_{j=1}^{I} \sigma^{PRISM}_{j \to i} + \sigma^{PRISM}_{i \to i}$
EdDSA verification (fraud detection):
- $\textsf{assert}\bigl(\mathcal{G} \cdot S^{CMK}_j \stackrel{?}{=} R^{CMK}_j + H(R^{CMK}_j, \mathcal{A}^{CMK}_j, \tau_j) \cdot \mathcal{A}^{CMK}_j\bigr) \quad \forall j$
- Same for PRISM. Failure → abort + SLA violation report.
Aggregate public keys: $gCMK \leftarrow \sum_{j} \mathcal{A}^{CMK}_j$ , $gPRISM \leftarrow \sum_{j} \mathcal{A}^{PRISM}_j$

Algorithm 3

Algorithm 3: Accountable Group Signature (per ORK )

Input:

CMKY_i

mSecORK_i

r_i

gR

\text{uid}

gSessKeyPub

\{mIdORK_j\}

ORKsBitwise

Output:

S_i

(partial group signature)

$PermissionMessage \leftarrow (\text{uid},\ \text{"NEW"},\ gSessKeyPub,\ \tau + 30)$
$mDigest \leftarrow H(ORKsBitwise\ \|\ PermissionMessage)$
$mgORKs \leftarrow \sum_{j \in I} mgORK_j + mgORK_i$
$keyAuth \leftarrow gCMK$
$S_i \leftarrow \textsf{partialSign}($
$\qquad \qquad \qquad gR,$ - Public nonce
$\qquad \qquad \qquad keyAuth + mgORKs,$ - Public key
$\qquad \qquad \qquad mDigest,$ - Digest of participating ORKs
$\qquad \qquad \qquad r_i,$ - Nonce secret
$\qquad \qquad \qquad mSecORK_i + CMKY_i,$ - Secret signing key
$\qquad \qquad \qquad \{mIdORK_j\},$ - List of participating ORK IDs
$\qquad \qquad \qquad ORKsBitwise$ - Bitwise array of participating ORKs
$\qquad \qquad \qquad )$
$encS_i \leftarrow \textsf{Enc}_{gSessKeyPub}(S_i)$

Verification (SWE / mimDB):

AccountableKey \leftarrow gCMK + \sum mgORK_i

; assert

AccountableKey.\textsf{verifySig}(gR, S, mDigest)

where

S = \sum S_i

Algorithm 4

Notation Reference

Symbol	Description
$\mathcal{G}$	Generator point on Curve25519 / Edwards25519 twisted Edwards for signatures
$A \cdot b$	Scalar-point multiplication
$H(\cdot)$	SHA-256 unless stated otherwise
$\textsf{DH}(a, B)$	Diffie-Hellman: $B \cdot a$
$\textsf{H2P}(\cdot)$	Hash-to-point (Elligator 2 on Curve25519)
$\text{uid}$	User identifier: $\text{uid} \leftarrow H(\text{username})$
$CMK_i$ , $PRISM_i$	ORK $i$ 's locally generated random sub-secrets for the DKG
$gCMK_i$ , $gPRISM_i$	ORK $i$ 's public key contributions ( $\mathcal{G} \cdot CMK_i$ , $\mathcal{G} \cdot PRISM_i$ )
$\sigma^{CMK}_{i \to j}$	ORK $i$ 's Shamir sub-shard of $CMK_i$ destined for ORK $j$
$CMKY_i$ , $PRISMY_i$	ORK $i$ 's final combined Shamir shards (sum of all received sub-shards + own)
$gCMK$ , $gPRISM$	Aggregate public keys (sum of all contributions). $gCMK = \mathcal{G} \cdot x$ where $x$ is the joint CMK
$PRISMAuth_i$	Per-ORK PRISM verifier: $\textsf{DH}(mSecORK_i, gPRISMAuth)$
$mSecORK_i$	ORK $i$ 's long-term private key: $\textsf{SHA-512}(TideKey_i).\text{last32bytes}$
$mDigest$	Current key's Accountable Group Signature digest of participating ORKS, as taken from the Home ORK's TWELVE-MAP response
$mgORK_i$	ORK $i$ 's long-term public key: $\mathcal{G} \cdot mSecORK_i$
$aesKey_i$	ORK $i$ 's symmetric key: $\textsf{SHA-512}(TideKey_i).\text{first32bytes}$
$\textsf{ENC}_{A}(B)$	X25519-based El-Gamal encryption of message $B$ with public key $A$
$ECDH_{ij}$	Pairwise shared secret: $\textsf{DH}(mSecORK_i, mgORK_j)$
$\textsf{AES\_DEC}_{a}(B)$	AES256 decryption of message $B$ with key $a$
$gSessKeyPub$	SWE's session public key (non-extractable via WebCrypto)
$n$	Swarm size (20)
$t$	Threshold (14)
$I$	Count of ORKs that responded ( $t \leq I \leq n$ )
$gVVK$ , $gVRK$	Vendor long-term and ephemeral payment/session public keys
$gBlurPass$	Blinded password point: $\textsf{H2P}(H(password)) \cdot j$
$ORKsBitwise$	Bitwise array of ORKs that participated in the original ceremony

Note: VUID, gCMKAuth, and CMKmul are derived during the test sign-in (Phase 4) via the voucher-based identity recovery mechanism. See Protocol: CMK Authentication, Steps 2.2-2.3.

Actors and Trust Assumptions

Actor	Description	Trust Assumption
User	Provides username, password, optional recovery emails	-
Vendor Site	Initiates OIDC redirect	Potentially compromised
Secure Web Enclave (SWE)	Browser-based cryptographic agent. Orchestrates ceremony, blinds inputs, routes encrypted shards, aggregates results. SRI-verifiable.	Potentially adversarial. Cannot extract key material from ORKs or force valid DKG for a different user.
Home-ORK	Entry point. Provides ORK directory, checks username availability.	No elevated trust. Public metadata only.
CMK ORKs (swarm, $n=20$ )	Independently operated nodes that compute and hold CMK + PRISM shards.	Up to 13 may be actively malicious or colluding. Mostly operated by different organizations.
Reservation ORKs	Temporarily reserve username (for 30s). Determined by proximity sort.	Short-lived reservation authority. Not necessarily in the CMK swarm.
TideCloak	Vendor IAM server. Creates user, stores VUID + gCMKAuth.	Potentially compromised. No private key material.
VVK ORKs	Separate swarm for vendor signing key. Signs user assignment proof.	Same as CMK ORKs.
mimDB	"Mimir" Database - Append-only Fabric synced registry. Stores committed records, Accountable Group Signatures, TWELVE-MAP entries.	Potentially compromised. All records cryptographically verifiable.
TWELVE-MAP	Tide Wide Enumerated Ledger of Verifiable Entries - Mapping Authoritative Pointers is the self-verifying directory service on mimDB mapping key identifiers to ORK swarms.	Each entry includes a ZK proof attesting to its authenticity against the master registry.

Layer Traversal

Layer	How the Protocol Engages It
Legitimacy	ECDH session establishment, voucher validation for reservation and GenShard, SRI verification of SWE.
Authority	Nested Shamir DKG: shard generation, splitting, distribution, aggregation. ORKs store CMK and PRISM shards identically - key-type agnostic.
Agency	Blinded multiplication $\text{gBlurPass} \cdot PRISM_i$ (purpose-specific MPC). Test sign-in exercises full Agency Layer (PRISM + double-blind signature + voucher-based identity recovery).
Settlement	Vouchers fund reservation, GenShard, and Commit. During test sign-in, voucher-derived values (`Ytag`, `qPub`, `uDeObf`) enable identity derivation.

Security Properties

Property	Mechanism	Assumption
"Born Fragmented" DKG	Nested Shamir: each ORK generates independent randomness. The joint key $x = \sum CMK_i$ is never computed by any entity.	Threshold (< 14 compromised)
Fraud detection	Each ORK verifies Zero-Knowledge proofs ( $\mathcal{G} \cdot S_j \stackrel{?}{=} R_j + H(R_j, \mathcal{A}_j, \tau_j) \cdot \mathcal{A}_j$ ) against all peers' declared contributions before accepting shards.	DLP hardness
Accountable Generation proof	Composite group signature over PermissionMessage, verified against $gCMK + \sum mgORK_i$ . Written to mimDB. Auditable by any party.	DLP. Registry integrity.
Atomicity (two-phase commit)	All ORK state held as Uncommitted until SWE provides aggregate signature and mimDB accepts. Uncommitted state auto-purged after 30 minutes.	-
Transport-independent security	Peer shards encrypted via pairwise ECDH. SWE responses encrypted via session keys. No reliance on TLS.	Secure RNG for ECDH
Malicious SWE containment	SWE routes encrypted shards but cannot read them (ECDH between ORK pairs). Cannot force generation for arbitrary uid without valid reservation signature.	AES-256 strength
Fault tolerance	Only $t$ (14) ORKs required. SafeKeep records enable absent ORKs to retrieve shards later.	-
SafeKeep forward security	Records encrypted under pairwise ECDH with absent ORK's public key. Signed by originating ORK. mimDB verifies signature before storing.	AES-256. ORK key integrity.
Race condition prevention	Deterministic proximity sort assigns reservation to 5 closest ORKs. 30-second signed reservations.	Uniform hash distribution
Password blinding	ORKs compute $\text{gBlurPass} \cdot PRISM_i$ without learning the password or the unblinded point.	Blinding scalar randomness
Identity derivation separation	VUID / gCMKAuth derived during authentication (Phase 4), not during DKG. DKG is purely key-type agnostic.	Voucher mechanism integrity

Call Summary

Call	Direction	Purpose
`findReservers`	SWE → Home-ORK	Check username availability, retrieve proximity-sorted ORK list
`requestVouchers`	SWE → TideCloak	Obtain authorization vouchers for reservation
`reserveUserID`	SWE → 5 Reservation ORKs	Request signed, short-lived username reservation
`GenCMKShard`	SWE → all $n$ ORKs	Initiate DKG. Distribute blinded PRISM multiplier. ORKs execute Algorithm 1.
`SetCMKShard`	SWE → $I$ ORKs	Distribute encrypted peer shards. ORKs execute Algorithms 2-4. Store Uncommitted.
`Convert` + `Authenticate`	SWE → $I$ ORKs	Test sign-in: BYOiD ceremony on uncommitted state. Also derives VUID, gCMKAuth.
`SignProof`	TideCloak → VVK ORKs	VVK swarm signs user assignment proof
`SignJWT`	TideCloak → VVK ORKs	Test JWT generation to verify VVK chain
`Commit`	SWE → $I$ ORKs	Submit aggregate signature. Transition Uncommitted → Committed. mimDB write.
`RegisterNewUser`	Vendor → TideCloak	Register VUID and gCMKAuth with vendor IAM

References

Hall, J. L., Hertzog, Y., et al. (2023). Manifesting Unobtainable Secrets: Threshold Elliptic Curve Key Generation using Nested Shamir Secret Sharing. arXiv:2309.00915. Presented at AustMS 2021.
Wang, F., Hertzog, Y., et al. (2023). Towards Zero Trust Authentication in Critical Industrial Infrastructures with PRISM. ACNS 2023 Workshops, LNCS 13907. Springer, Cham.
Tide Developer Documentation: docs.tidecloak.com