Anonymous Voucher: Triple-Blinded Micro-Payment | Cyber Immunity Whitepaper

Overview

This document specifies the cryptographic construction of the Anonymous Voucher - the micro-payment token that gates every ORK operation in the Tide Cybersecurity Fabric. The voucher must simultaneously prove payment authorization to the ORK, prove balance sufficiency to the Payer, hide each actor's identity from non-adjacent parties, bind to a specific action type, and resist replay.

The construction achieves these properties via triple-blinding: three actors apply independent obfuscation layers that intertwine into a verifiable combined signature

s = s1 + s2

, allowing the Payer to validate payment without unmasking the transacting entities. The voucher's obfuscated Vendor identity

Y'

simultaneously serves as the BYOiD authentication tag, fusing settlement and identification into a single protocol round.

Loading diagram...

Notation Reference

Symbol	Description
$G$	Generator point on the selected elliptic curve.
$A \cdot b$	Scalar-point multiplication.
$\textsf{H}(\cdot)$	Cryptographic SHA256 hash function.
$\textsf{DH}(A , b) \equiv \textsf{H}(A \cdot b)$	Diffie-Hellman key exchange function.
$v$ , $V = G \cdot v$	VRK key pair. Vendor's ephemeral payment key (rotates monthly).
$Y = gVVK$	Vendor's master identity public key.
$Y'$	Triple-obfuscated Vendor identity: $Y \cdot \textsf{H}(v) \cdot \textsf{DH}(P, q) \mod q$ .
$Y''$	Payer-facing obfuscated VVK: $Y \cdot \textsf{H}(v)$ .
$\hat{Y}$	User ID obfuscation tag: $Y' \cdot \textsf{H}(v)$ .
$o_i$ , $O_i$	ORK $i$ 's private and public key pair.
$pORK_i$	ORK $i$ 's per-operation temporary payment key pair.
$z_i$	ORK blinding factor: $\textsf{DH}(O_i , k)$ .
$O'_i$	Blinded ORK identity: $O_i \cdot z_i$ .
$k$ , $K = G \cdot k$	SWE's per-operation blinding key pair.
$q$ , $Q = G \cdot q$	Vendor's per-voucher-batch nonce key pair.
$p$ , $P = G \cdot p$	Payer swarm deobfuscation key pair.
$n_i$ , $N_i$	Payer node $i$ 's signing key pair.
$u$	PRISM deobfuscation coefficient: $\textsf{H}(v) \times \textsf{DH}(P , q) \times \textsf{DH}(K , q) \mod q$ .
$s1_i$	Vendor's partial voucher signature for ORK $i$ .
$s2$	ORK's voucher counter-signature.
$s$	Combined voucher signature: $s1_i + s2$ .
$R1_i$ , $R2$	EdDSA nonce public values (Vendor, ORK).
$UID'$	Obfuscated user ID: $\hat{Y} \cdot uid$ .
$uid_{anon}$	Anonymized user ID (Payer-derived, for MAU licensing).
$VENkey'$	Vendor destination key (Payer-derived, for ORK→Vendor encryption).
$\textsf{ProofSign}$	Payer's redemption proof signature.
$Z$	Sum of ORK blinding factors (monthly redemption deobfuscation).

Actors

Actor	Description	Trust Assumption
User Agent (SWE)	Acquires ORKs, blinds their public keys, requests vouchers from Vendor, orchestrates ORKs.	Verifiable (but untrusted) dealer. Can select routing but cannot manipulate signed vouchers.
TideCloak	Holds VRK, generates and signs vouchers, obfuscates own identity.	Knows VVK public, lacks private shards. Cannot identify which ORKs receive vouchers.
ORK Nodes	Finalize vouchers (counter-signature), submit to Payer, execute partial operation if validated.	Standard threshold trust. Cannot derive Vendor's identity from voucher.
Payer	Validates signatures, enforces balance/licensing, issues RedemptProof, settles monthly.	Scrutinized, Tide-operated. Knows V but cannot derive Y.
mimDB	"Mimir" Database - Append-only Fabric synced registry. Stores committed records, Accountable Group Signatures, TWELVE-MAP entries.	Potentially compromised. All records cryptographically verifiable.
TWELVE-MAP	Tide Wide Enumerated Ledger of Verifiable Entries - Mapping Authoritative Pointers is the self-verifying directory service on mimDB mapping key identifiers to ORK swarms.	Each entry includes a ZK proof attesting to its authenticity against the master registry.

Preconditions

Vendor-Side: Facility approval VRK key (

v

V

), master Vendor public key (

Y = gVVK

\textsf{H2P}(VVK)

, Payer public key (

P

ORK-Side: ORK private key (

o_i

O_i

), Payment ORKs keys (

pORK_i

), user CMK shard (

x_i

), user ID (

uid

Payer-Side: Cluster deobfuscation key (

p

P

), node signing key (

n_i

N_i

), facility store ID

Y''

tracking: balance, capacity, VRK validity dates, MAU.

Phase 0: Credit Facility Setup

When: During initial vendor onboarding and each monthly VRK rotation.

The Vendor registers a funded facility with the Payer, linking VRK to VVK without exposing the master VVK identity. For the full credit facility setup construction including the semi-blind signature, see Protocol: Vendor Licensing, Algorithm 1.

The Vendor generates a fresh VRK (

v

V

), derives

Y_{tmp} = G \cdot \textsf{H}(v)

, signs proofs of possession (

vProof

YProof

), and registers a provisional credit facility: CreateLicense(V, Y_tmp, YProof, vProof). The Payer creates a credit facility indexed by

V

, identified by

Y_{tmp}

During VVK generation, the VVK ORKs produce a semi-blind signature. The Vendor aggregates to derive

Y'' = Y \cdot \textsf{H}(v)

and updates the facility: UpdateLicense(V, Y'', YProof, vProof). The Payer verifies and re-indexes by

Y''

. The Payer holds

Y'' = Y \cdot \textsf{H}(v)

but cannot recover

Y

without

v

Phase 1: Voucher Allocation (Per-Operation)

When: Every authentication, decryption, or signing request.

Loading diagram...

Step 1.1 - SWE Blinds ORK Identities (Blind 1). The Secure Web Enclave (SWE) generates ephemeral

k

K = G \cdot k

and computes per-

ORK_i

blinding:

z_i = \textsf{DH}(O_i , k)

O'_i = O_i \cdot z_i

. Transmits

(O'_{1..n}, \text{"action"}, K)

to the Vendor.

Step 1.2 - Vendor Generates Vouchers (Blind 2). The Vendor executes Algorithm 1, returning

(s1_{1..n}, R1_{1..n}, Y', Q, P, u, \hat{Y})

Step 1.3 - SWE Verifies and Distributes. The SWE recovers the Vendor's public key:

Y = Y' \cdot \textsf{DH}(Q , k) \cdot u^{-1}

and asserts it matches the expected

gVVK

. Routes the per-ORK voucher.

Step 1.4 - ORK Finalizes Voucher (Blind 3). The ORK recomputes

z_i = \textsf{DH}(K , o_i)

(note:

K \cdot o_i \equiv O_i \cdot k

), derives

O' = O_i \cdot z_i

, computes its counter-signature

s2

, and forms

s = s1_i + s2

. The ORK obfuscates the user ID:

UID' = \hat{Y} \cdot uid

Step 1.5 - ORK Contacts Payer. The ORK queries the decentralized repository for the Payer cluster address via findPayer(P), receives ClusterPayersList[1..n], and calls ValidateVoucher on one Payer node from that cluster with:

(s, R1, R2, Y', Q, O', UID', \text{"action"})

Phase 2: Payer Validation

Loading diagram...

The Payer executes Algorithm 2 (deobfuscation and verification), then:

Licensing check. The Payer derives an anonymized user ID:

uid_{anon} = \textsf{H}(UID' \cdot (\textsf{DH}(Q , p))^{-1})

, which expands to

\textsf{H}(Y \cdot \textsf{H}(v) \cdot \textsf{H}(v) \cdot uid)

. This value is unique per user per vendor, changes each billing cycle (incorporates rotating

v

), and is unlinkable to the actual

uid

. If the MAU count exceeds the Vendor's licensed limits, the voucher is rejected.

Redemption proof. Upon passing all checks:

\textsf{ProofSign} = \textsf{SIGN}_{n_i}(timestamp, \text{"action"}, O')

. The Payer also derives

VENkey' = O' \cdot \textsf{DH}(Q , \textsf{DH}(V , p))

for ORK→Vendor encryption. Returns

(\textsf{Proof}, VENkey')

to the ORK.

Storage. The Payer stores the validation indexed by digest (SubIndex: action, timestamp, key) and updates the balance indexed by venPub. The ORK stores the validation indexed by digest (SubIndex: payerPublic, action) with RedemptProof, voucher fields, and

z_{Obf}

Phase 3: BYOiD Integration

The voucher protocol integrates with BYOiD authentication (Protocol: CMK Authentication) to establish the user's secret contextual identity (that is used to calculate the user identity in the context of this specific vendor) at zero additional latency. A user secret contextual identity value is a cross between the Vendor secret key and the user's master secret key:

G \cdot \text(VVK) \cdot \text(CVK)

. The triple-obfuscated Vendor identity

Y'

generated in Phase 1 is the PRISM authentication tag (

Ytag

At the ORK:

prismID_i = Y' \cdot x_i \equiv Y \cdot x_i \cdot \textsf{H}(v) \cdot \textsf{DH}(P , q)

At the SWE (Algorithm 3): The SWE interpolates the partial responses, multiplies by

\textsf{DH}(Q , k)

, and divides by

u

prismAUTH = \left(\sum_{i=1}^{t} prismID_i\right) \cdot \textsf{DH}(Q , k) \cdot u^{-1} \equiv Y \cdot x

The obfuscation factors cancel:

\textsf{DH}(Q , k) / (\textsf{DH}(v) \times \textsf{DH}(P , q) \times \textsf{DH}(K , q))

simplifies because

\textsf{DH}(Q , k) = \textsf{DH}(K , q)

, yielding

Y \cdot x

- the user's master CMK public key multiplied by the VVK.

Phase 3b: BlindSig Flow (Non-PRISM Operations)

For threshold operations that produce a result for the Vendor (e.g., decryption, signing), the ORK encrypts the output using the Payer-derived

VENkey'

At the ORK: The ORK derives the symmetric encryption key by removing its own blinding from

VENkey'

VENKey = \textsf{DH}\left(VENkey' , (o_i \cdot z_i)^{-1}\right) \equiv \textsf{H}\left(G \cdot \textsf{DH}(Q , \textsf{DH}(P , v))\right)

The ORK encrypts:

encBlindMsg_i = blindSig_i \times VENKey

At the SWE: The SWE interpolates:

encBlindMsg = \sum encBlindMsg_i

, unblinds, and forwards

(encMsg, Q)

to the Vendor.

At the Vendor: The Vendor independently derives the same key:

VENKey = \textsf{H}(G \cdot \textsf{DH}(Q , \textsf{DH}(P , v)))

and decrypts:

blindSig = encMsg \times VENKey^{-1}

The ORK never learns the Vendor's identity. The Vendor never learns the ORK's identity. Both independently derive the same symmetric key through the Payer's public key

P

Phase 4: Monthly Bulk Redemption

ORKs accumulate RedemptProofs and settle in monthly bulk batches.

Step 4.1 - ORK Aggregation. Each ORK aggregates its validated vouchers hierarchically: by Payer cluster, then by action type, then by individual validation. It computes

Z = \sum z_i

(the sum of all blinding factors for the period). For each aggregated record, it signs the payment instruction with the voucher private key:

payInstAuth = voucherPrivateKey.\textsf{sign}(redemption.key, paymentDest)

. It transmits

(redemptionAgg, paymentDest, payInstAuth, Z)

to the relevant Payer cluster.

Step 4.2 - Payer Verification and Settlement. The Payer executes six verification checks:

Verify all vouchers signed by an approved Payer cluster member.
Verify no voucher older than 3 months.
Match each voucher's digest to recorded validations.
Verify each voucher's payment is assigned to exactly one payment instruction.
Deobfuscate the ORK identity: $O = (\sum O'_i) \times Z^{-1}$ .
Verify: $\textsf{VerifySIGN}_{N_i}(ProofSign_{1..j}, timestamp_{1..j}, \text{"action"}_{1..j}, O)$ .

The Payer returns ApprovedDigestList[], DisputedDigestList[], and a payment confirmation report. It processes the incentivisation settlement, syncs the cluster, and culls matched records.

Step 4.3 - Dispute Resolution. For disputed vouchers, the ORK resubmits the full chain:

(voucherFinal[], RedemptContent[], RedemptProof[])

. The Payer evaluates: check for duplicates, identify rogue ORK, identify rogue VRK/Vendor, identify rogue Payer. If all checks are exhausted, escalation to a human operator occurs. The Payer sends reports and any excess bill to the Vendor (TideCloak).

Step 4.4 - Purging. The ORK purges paid voucher records. The Payer archives settled ledgers.

Algorithms

Algorithm 1: Triple-Blind Voucher Generation (Vendor)

Inputs:

v

(VRK private),

V = G \cdot v

(VRK public),

Y = gVVK

(master public),

P

(Payer public),

O'_{1..n}

(blinded ORK keys),

K

(SWE blinding public),

\text{"action"}

Steps:

$q \overset{\$}{\gets}$ ℤ $_\ell, Q = G \cdot q$
$Y' = Y \cdot \textsf{H}(v) \cdot \textsf{H}(P \cdot q)$ - triple-obfuscated Vendor identity
$\hat{Y} = Y' \cdot \textsf{H}(v)$ - user ID obfuscation tag
$u = \textsf{H}(v) \times \textsf{H}(P \cdot q) \times \textsf{H}(K \cdot q)$ - PRISM deobfuscation coefficient
For each ORK $i$ :
- $r1_i = \textsf{H}(v, \text{"action"}, Y' + O'_i)$ - deterministic EdDSA nonce
- $R1_i = G \cdot r1_i$
- $s1_i = r1_i + \textsf{H}(R1_i, Y', \text{"action"}) \times v + \textsf{H}(Y' + O'_i, \text{"action"}) \times v$

ORK counter-signature (per ORK

i

, after receiving voucher):

$z_i = \textsf{H}(K \cdot o_i)$ , $O' = O_i \cdot z_i$
$r2 = \textsf{H}(o_i, \text{"action"}, Y' + O'_i)$ , $R2 = G \cdot r2$
$s2 = r2 + \textsf{H}(R2, O', \text{"action"}) \times o_i \times z_i + \textsf{H}(Y' + O', \text{"action"}) \times o_i \times z_i$
$s = s1_i + s2$ - combined voucher signature

Outputs:

s1_{1..n}

R1_{1..n}

Y'

Q

P

u

\hat{Y}

Algorithm 2: Payer Deobfuscation and Verification

Inputs:

s

R1

R2

Y'

Q

O'

UID'

\text{"action"}

p

(Payer private),

V

(VRK public from facility)
Outputs:

\textsf{ProofSign}

uid_{anon}

VENkey'

Steps:

$Y'' = Y' \cdot (\textsf{H}(Q \cdot p))^{-1} \equiv Y \cdot \textsf{H}(v)$ - deobfuscate Vendor identity
$\textsf{Sync}(Y'')$ - verify local DB synchronized for this Vendor
$\textsf{VerifyUnique}(R1)$ - reject if digest previously processed
Verify signature equation: $G \cdot s \stackrel{?}{=} R1 + R2 + \textsf{H}(R1, Y', \text{"action"}) \cdot V + \textsf{H}(R2, O', \text{"action"}) \cdot O' + \textsf{H}(Y' + O', \text{"action"}) \cdot (V + O')$
$\textsf{VerifyVendorBalance}(V, \text{"action"})$ - reject if insufficient credit
$\textsf{outsideVRKvalidDates}(Y'', timestamp)$ - reject if VRK expired

Verification equation properties: (a) Authentic VRK signature via

V

term. (b) Authentic ORK counter-signature via

O'

term. (c) Signatures bound to identical

Y'

O'

via joint hash

(V + O')

. (d) Action type committed across all hash inputs.

Privacy and Threat Analysis

Privacy Properties

Property	Mechanism
Vendor → ORK Unlinkability	Blind 1: SWE applies $z_i = \textsf{DH}(O_i , k)$ . Vendor sees $O'_i$ , cannot derive $O_i$ without $k$ .
ORK → Vendor Unlinkability	Blind 2: Vendor obfuscates with $Y' = Y \cdot \textsf{H}(v) \cdot \textsf{DH}(P , q)$ . ORK sees $Y'$ , cannot derive $Y$ .
Payer → VVK Isolation	Payer recovers $Y'' = Y \cdot \textsf{H}(v)$ . Without $v$ , cannot derive $Y$ .
User ID Anonymization	Blind 3: ORK computes $UID' = \hat{Y} \cdot uid$ . Payer derives $uid_{anon}$ : unique per user per vendor, unlinkable to $uid$ .
Cross-Cycle Unlinkability	$uid_{anon}$ incorporates rotating $v$ . Changes completely each billing cycle.
Post-Generation Immutability	$s1_i$ locks voucher parameters. SWE routes but cannot forge (lacks $v$ ).
Non-Replayability	Unique nonces $(R1, R2)$ per voucher. Payer indexes R1 digest, rejects duplicates.

Known Threats and Mitigations

Threat Vector	Impact	Mitigation
Vendor + SWE collusion - map user CMK ID to Vendor user ID	Low	SWE SRI verification and rehoming (Article 7).
Vendor + SWE collusion - map users to specific ORK nodes	Low	SWE SRI verification of blinding algorithms.
ORK + Payer collusion - trace User → Vendor → ORK → Payer flow	Low	Payer nodes exclusively operated by Tide Foundation.
ORK + Payer collusion - unobfuscate Vendor master ID	Low	Requires deep infrastructure-level collusion.
Malicious Payer node - approve unfunded operations, accrue debt	High	Payer nodes are permissioned, Tide-operated only.
Malicious Payer node - map obfuscated ORK IPs to Vendors	Medium	Payer operation heavily audited.
Vendor + User + ORK + Payer collusion - inflate billing to defraud honest ORK	Very High	Requires four-party collusion; mitigated by dispute resolution and forensic logging.
Vendor + Payer collusion - map Vendor traffic to ORK nodes	Low	Payer nodes highly scrutinized.

Layer Traversal

Layer	How This Protocol Engages It
Legitimacy	Payer validates VRK dates and balance. Facility linkage to VVK via semi-blind signature.
Authority	VVK signs VRK during onboarding. VRK signs each voucher.
Agency	Voucher gates every Agency Layer operation. ORKs execute only after Payer validation. PRISM tag derived from voucher obfuscation.
Settlement	Primary layer. Credit Facility management, voucher allocation, real-time validation, monthly redemption.

Security Properties

Property	Mechanism	Assumption
Triple-blinding	Three independent obfuscation layers (ORK identity, Vendor identity, User ID), each peelable only by intended recipient.	DH security, hash collision resistance.
Signature binding	Combined $s = s1 + s2$ binds Vendor and ORK signatures to identical $Y'$ , $O'$ , and action via joint hash term.	EdDSA unforgeability.
Slip-knot deobfuscation	Payer peels one layer ( $Y' \to Y''$ ) without accessing other blinds.	Payer key security.
Non-replayability	Digest-indexed uniqueness at Payer.	Payer database integrity.
Balance enforcement	Per-VRK credit tracking. Negative balance → rejection.	Payer database integrity.
Licensing enforcement	Anonymized MAU counting per $Y''$ . Exceeded license → rejection.	-
PRISM fusion	$Y'$ is simultaneously the PRISM $Ytag$ . Zero additional protocol rounds.	-
Cross-cycle unlinkability	VRK rotation changes $Y''$ and $uid_{anon}$ per billing cycle.	VRK rotation integrity.
BlindSig channel	ORK and Vendor independently derive $VENKey$ via Payer public key. Neither learns the other's identity.	DH security.

Call Summary

Call	Direction	Phase	Purpose
`CreateLicense`	Vendor → Payer	0	Register provisional credit facility with VRK.
`UpdateLicense`	Vendor → Payer	0	Update facility identity to $Y''$ after VVK generation.
`GetVouchers`	SWE → Vendor	1	Request funded vouchers with blinded ORK keys (`BlurPORKi`, `ActionRequest`, `BlurerK`).
`VoucherResponse`	Vendor → SWE	1	Return `voucherPacks[]`, `QPub`, `PayerPub`, `YHat`, `UDeObf`.
`VoucherRequest`	SWE → ORK	1	Distribute per-ORK `VoucherPack` with `QPub`, `PayerPublic`, `BlurerK`, `YHat`.
`findPayer`	ORK → mimDB	1	Locate Payer cluster for validation.
`ValidateVoucher`	ORK → Payer (one from cluster)	1-2	Submit `voucherFinal` + `QPub` for validation.
`redemptContent, redemptProof, obfgVVK`	Payer → ORK	2	Return validation data, Payer signature, and $VENkey'$ .
`prismID_i`	ORK → SWE	3	Return PRISM partial (authentication flow).
`encBlindMsg_i`	ORK → SWE	3b	Return encrypted result (BlindSig flow).
`redemptionAgg`	ORK → Payer	4	Monthly bulk settlement request.

References

Hall, J. L., Hertzog, Y., et al. (2023). Manifesting Unobtainable Secrets: Threshold Elliptic Curve Key Generation using Nested Shamir Secret Sharing. arXiv:2309.00915. Presented at AustMS 2021.
Chaum, D. (1983). Blind Signatures for Untraceable Payments. Advances in Cryptology Proceedings of Crypto.
Tide Developer Documentation: docs.tidecloak.com