Dual lifecycle: permanent institutional signing for public records, retention-bound encryption for citizen personal data.
Filed · Patent pending
ABT methodology family · variant ABT-G · government records
A tax record that auditors can verify and never read
How a government record holds full PII in one tier and aggregate-only figures in another — with structural separation between the citizen's return and the auditor's view.
US Provisional Patent 64/056,353 · Filed May 4, 2026 · sidratnam.com/abt/
Plaintext never moves · Each tier authority sees only its projection · PII inaccessible to audit layer by cryptographic structure
Lena Marchetti files her return
Her device constructs two independent tier projections from the same return data. The citizen tier holds full PII. The audit tier holds aggregates only.
First party
Lena Marchetti
rk_marchetti — root return key
Constructs envelope locally
Citizen tier: full PII projection
Audit tier: aggregate-only projection
encrypted citizen envelope →
Revenue authority
National Tax Office
Holds authority tier key
Can decrypt citizen projection
Stores envelope in record system
Return envelope · rk_marchetti_2025
taxpayer_idTIN_38847201
full_nameLena Marchetti
addressVia Torino 14, Milan
income_total€ 94,200
tax_due€ 22,300
audit_projection[ encrypted to audit tier key · aggregate figures only ]
Two tiers, one envelope. The citizen projection contains full PII: name, address, TIN, itemised figures. The audit projection contains income bracket, tax liability bracket, and filing status — no name, no address, no TIN. These projections are encrypted to independent tier keys. The authority tier key can read the citizen projection. The audit tier key can read the aggregate projection. Neither key can decrypt the other's projection.
Revenue Authority receives and stores the return
The authority tier key decrypts the citizen projection at the authority's endpoint. Full PII is accessible for routine tax administration. The audit projection remains sealed at this stage.
Authority view · rk_marchetti_2025
taxpayer_idTIN_38847201
full_nameLena Marchetti
income_total€ 94,200
tax_due€ 22,300
filing_statusindividual · on-time · no prior flags
audit_projection[ audit tier · sealed to authority key · not accessible here ]
Routine administration operates in the citizen tier. Tax assessment, payment matching, refund processing — all operate on the citizen projection, which is fully accessible to the authority. The audit tier key is held by a separate institutional function. This is not an access control policy — the authority tier key cannot decrypt the audit projection regardless of intent.
An audit sweep is triggered — aggregate pattern analysis
The audit function initiates a population-level review for income bracket 85K–100K. It requests audit projections. No citizen-tier data is accessed at this stage.
Audit function
Office of Tax Compliance
Holds audit tier key
Requests audit projections
Cannot access citizen tier
audit projection requested →
Record store
Tax Record System
Returns sealed audit projections
Citizen tier remains sealed
No PII released to audit function
The audit function operates without citizen PII. At this stage, no names, no TINs, no addresses are accessible to the audit function. It receives a set of sealed envelopes containing audit projections. Its tier key can decrypt those projections — and only those projections.
Audit function reads the aggregate projection
The audit tier key decrypts Marchetti's audit projection. What the audit function sees: income bracket, tax bracket, deduction ratio, filing status. What it does not see: name, address, TIN.
citizen_tier[ sealed to citizen tier key · name / TIN / address not accessible here ]
audit_flag:
return_token: rk_marchetti_2025
trigger: deduction_ratio 0.31 vs. bracket average 0.19
flag_type: elevated_deductions · population deviation > 1.5σ
pii_accessed: false
citizen_tier_opened: false
The flag is raised without PII access. The audit function identifies a statistical outlier using the aggregate projection only. It does not yet know whose return this is. The audit token rk_marchetti_2025 is a reference opaque to the audit function — it can use this token to request citizen-tier access through a separate, supervised authorisation step.
Audit flags elevated deductions — citizen tier still sealed
The discrepancy (deduction ratio 0.31 vs. bracket average 0.19) is documented using the audit projection only. The audit function submits a citizen-tier access request referencing rk_marchetti_2025. No PII has been accessed yet.
Escalation requires separate authorisation. The audit function cannot unilaterally open the citizen tier. It holds the audit tier key — not the citizen tier key. Access to the citizen projection requires a separate institutional step: an authorised official (or judicial order, depending on jurisdiction) provides approval before the citizen tier key is released for this return.
Citizen tier authorised — Marchetti's PII is now accessible
An authorised official approves citizen-tier access for return rk_marchetti_2025. The citizen tier key is released for this specific return. Full PII becomes accessible to the audit function for this audit only.
Every citizen-tier access is logged to the tamper-evident chain. The hash chain entry records: which return was opened, under what authorisation, at what time, by which function. Marchetti can request a disclosure log and see that her citizen tier was opened, under authorisation AUTH-2025-0081, at a specific date. The audit function's access is not invisible to the data subject — it is logged and auditable.