How It Works

FLOW · 8 STEPS

The bilateral protocol

Normalize Identifiers

Raw identifiers are normalized — phone numbers to E.164 format, emails to lowercase and trimmed. Both parties produce identical hashes from identical underlying identifiers.

◣ E.164 · RFC 3966

SHA-256 Hash

Each normalized identifier is hashed with SHA-256 client-side. Output is the only data that will be exchanged — never the raw identifier. One-way function; cannot be reversed.

◣ FIPS 180-4 · RFC 6234

HKDF Key Derivation

A derived key is computed using HKDF-SHA256 over the Sender's master, the Recipient's public commitment, and a per-segment salt. Unique to this exchange. Neither party derives alone.

◣ HKDF-SHA256 · RFC 5869

AES-256-GCM Wrap

Each SHA-256 hash is encrypted with AES-256-GCM using the derived key + unique nonce + segment metadata as AAD. Output is a wrapped token with no recoverable identifier information.

◣ AES-256-GCM · FIPS 197 · NIST SP 800-38D

Ed25519 Sign

The Sender signs the bundle metadata with Ed25519. The signature proves origin and integrity. 64-byte deterministic signature. 10× faster than RSA-2048.

◣ Ed25519 · RFC 8032

mTLS 1.3 Transmit

Signed, wrapped bundle is transmitted over mutual TLS 1.3. Both parties authenticate. No plaintext passes between environments at any point in the protocol.

◣ mTLS 1.3 · RFC 8446

Verify Signature

Recipient verifies Ed25519 signature against the Sender's registered public key. Bundle integrity confirmed. Any tampering is detectable — failed verification terminates the exchange.

◣ Ed25519 Verify · RFC 8032

AES-256-GCM Unwrap

Recipient locally derives the session key using their own master material and the Sender's public commitment + segment salt. Wrapped tokens unwrapped bilaterally. Hashes matched against partner cohort.

◣ HKDF · AES-256-GCM · RFC 5869

Cryptographic Primitives

SHA-256One-way identifier hashing. Output cannot be reversed to recover the original.FIPS 180-4

HKDF-SHA256Bilateral key derivation. Combines both parties' master material + per-segment salt.RFC 5869

AES-256-GCMAuthenticated symmetric encryption with AAD. Wraps hashes with the derived key.FIPS 197 · NIST SP 800-38D

Ed25519Bundle authentication. 32-byte keys, deterministic, 10× faster than RSA-2048.RFC 8032

Security Scenarios

Bundle intercepted in transit. Attacker holds signed wrapped tokens — no derived key material. Cannot decrypt without both parties' master material.

Master key compromised. Derived session keys remain valid for in-flight bundles only within 30-day grace period. Old bundles expire.

Recipient environment breached. Attacker lacks Sender's master material. Cannot unilaterally derive session keys or unwrap bundles.

Signature forged. Ed25519 verification fails. Exchange terminates. Tampering is detectable at step 07 — before any unwrap occurs.

Key Rotation

Salts rotate automatically. Master material rotates on a configurable schedule — typically 90 days — with on-demand rotation supported.

Salt Rotation

Automatic

Per-segment, per-exchange

Master Rotation

90 days

On-demand supported

Grace Period

30 days

In-flight bundles complete

Rotation Signal

Audit log

Hash-chain triggers rotation

Audit Log · Hash-Chained Ledger

TimeActionResult

21:38:11SHA-256 HASHSuccess

21:38:11HMAC INTEGRITYSuccess

21:38:12AES-GCM WRAPSuccess

21:38:12ED25519 SIGNSuccess

21:38:13BUNDLE TRANSMITSuccess

The bilateral protocol

No PII on the wire. No exceptions.