Bundle A — Sovereign Custody · Sovereign Technology

⬡ Keccak-f[1600] Entropy Engine hardware CSPRNG + timing + intent → sovereign entropy pool

0% Entropy Pool

Intent Phrase (entropy salt)

Sponge State (200 bytes)

Entropy Sources

◦ Hardware CSPRNG (64 bytes)

◦ Timing jitter (32 samples)

◦ Intent phrase

◦ Mouse entropy

Sponge Stats

Steps: 0
State hash: —
Pool size: 0 bytes

🗝 Sovereign Identity Chain Ed25519 + AES-GCM · DID · zero server · IndexedDB persist

Generate a cryptographic identity from your entropy pool. No server, no oracle, no tracking. The private key is AES-GCM encrypted at rest in IndexedDB using a PBKDF2-derived wrapping key.

Generate entropy first (Keccak Entropy tab), then generate your identity here.

🔷 Shamir 3-of-5 Secret Sharing GF(256) · any 3 of 5 shares reconstruct the key · no third party

Splits the private key into 5 shares using Galois Field (GF(2⁸)) arithmetic. Any 3 shares can reconstruct the key — none individually reveal anything. Distribute to 5 different custodians or locations.

Recovery Test — Paste 3 shares to verify

3 Share Hex values (comma or newline separated)

🔒 AES-256-GCM Sharding + IPFS client-side encryption · SHA-256 integrity · configurable shards

Records

Total Shards

Access Grants

Record ID

Data to encrypt

Tags (comma separated)

Retrieve with Capability Token

Record ID

Capability Token (optional)

Encrypted Records

🎫 Capability Token Access Control cryptographically signed · time/view limits · ZK-derived · revocable

Tokens are cryptographically random, time-limited, view-limited, and tied to a specific resource and grantee. The master key is never exposed — only capability-scoped tokens are issued.

Resource ID to grant access to

Max Views

Expires (hours)

Grant To (DID or *)

How Capability Tokens Work

1. Token = 48 random bytes (crypto.getRandomValues)
2. Bound to: resource ID · max views · expiry · grantee DID
3. Master key never leaves encryption engine
4. Each token view is logged in audit trail
5. Expiry and view limit enforced at retrieval time
6. Revocation: delete token from grants registry

Token Audit

✓ Bundle A Verification Report cross-component integrity · audit-ready

Keccak Entropy Not verified PEND

Sovereign Identity Not verified PEND

Shamir 3-of-5 Not verified PEND

AES-256 Encryption Not verified PEND

Capability Tokens Not verified PEND