A tax record auditors can verify and never read. Dual-tier architecture keeps full citizen PII in one projection and aggregate-only figures in another — independent tier keys, structural separation.
An IRS audit targets a government contractor. The auditor requests the relevant tax records. The protocol releases the taxation tier: aggregate income, taxable categories, jurisdiction, compliance status.
The contractor's employees' names, social security numbers, home addresses, and benefit details are in a separate tier keyed independently. The auditor receives valid, complete tax data needed for the audit. The employees' PII is sealed.
The auditor cannot request, subpoena, or demand access to the personal tier through the contractor's records alone. A separate legal instrument targeting a separate tier authority would be required. The separation is not a matter of the contractor's cooperation — it is a structural property of the envelope.
Federal tax audits, FOIA requests, grant compliance reviews, regulatory filings, public contracts — any government record type where transparent aggregate data and protected personal data coexist in the same document.
ABT-G uses Ed25519 digital signatures for authentication of every event at every party. Per-event symmetric keys are derived via HKDF with the event identifier as salt and held in hardware-backed secure storage (Apple iOS Keychain, Android Keystore, or equivalent platform secure-storage). Envelope encryption is performed at the first-party endpoint before any ciphertext leaves the device or origin. Each tier authority’s ciphertext contains only that tier’s authored projection — information not relevant to a tier authority is authored out before encryption, not redacted after. The registry maintains a hash-chained log where each entry’s hash includes the prior entry’s hash, providing tamper-evident integrity across the chain. Forward-only tier activation: registration of a new tier authority causes inclusion of an active tier layer in subsequent envelopes only. Existing envelopes are not retroactively modified. Cryptographic boundary at the first party. Plaintext never moves. Per-tier projection authored at envelope construction. Registry-routed restoration requires structural participation by all three parties.
Cryptography researchers studying envelope encryption, tier-bounded ciphertext, deterministic key derivation, and signed receipt chains in government records and citizen-state interactions.
Privacy researchers studying architectural privacy enforcement, unlinkability, purpose limitation, retention through cessation, and consumer-controlled key custody.
Consumer protection advocates seeking architectural alternatives to policy-based privacy enforcement. Cryptographic structural enforcement, not vendor trust.
Policy researchers examining cryptographic enforcement of storage limitation (GDPR Article 5(1)(e)), data minimization (GDPR Article 5(1)(c)), and consumer protection requirements.
Civic technology researchers studying citizen data sovereignty, government transparency mechanisms (FOIA), tax record retention, license application data, dual lifecycle systems separating permanent institutional records from retention-bound citizen data, and cryptographic enforcement of regulatory storage limits.
