Selective attribute disclosure with cross-relying-party correlation prevention. Disclose only what's needed, never the underlying record.
Filed · Patent pending
ABT-I · identity disclosure walkthrough
Proving you're over 21 without proving who you are
A concrete identity-disclosure scenario showing per-disclosure key derivation, sealed-identity age verification, and cross-disclosure unlinkability across two venues in a single evening.
Variant of ABT · US Provisional Patent 64/056,353 · Filed May 4, 2026
The bouncer sees "over 21: yes." They never see Pita's name, ID number, or anything that connects this check to the next bar.
Pita Faleolo arrives at Bar Alcazar — his device derives a per-disclosure key
Pita's device holds a persistent identity key registered at enrollment against a verified ID. He has not yet shown the bar anything. His device derives a disclosure token scoped to this venue, this evening, valid for 4 hours.
Pita Faleolo · first party
Derives disclosure token
ik_faleolo · persistent identity key
↓ derives per-venue per-session token
disc_alcazar_e4b1
valid: 4 hours · Bar Alcazar only
encrypts: age_verified tier + identity tier
disclosure envelope · disc_alcazar_e4b1
Verifier · Bar Alcazar
Receives disclosure
holds venue tier key
identity tier: sealed
no name · no ID number
The envelope contains two independent tier projections. The age_verified tier holds a boolean and a date-range bracket. The identity tier holds Pita's name, government ID number, and photo hash. Bar Alcazar's venue key can reach the age_verified tier and nothing else.
Bar Alcazar's bouncer sees "over 21: yes" — nothing more
The bouncer's terminal decrypts the age_verified tier at its endpoint. The result is a single attribute. The identity tier is cryptographically sealed — the bouncer's venue key cannot reach it regardless of what the bouncer's terminal requests.
age_verified tier — accessible to Bar Alcazar
disclosure_iddisc_alcazar_e4b1
over_21yes
age_bracket25–34
valid_until22:47 tonight · Bar Alcazar only
legal_name— sealed in identity tier —
government_id— sealed in identity tier —
photo_hash— sealed in identity tier —
Age is verified. Identity is not disclosed. The bouncer receives a cryptographic assertion that Pita is over 21 and in the 25–34 age bracket. They do not receive his name, his ID number, or any identifier that connects this check to any other check performed this evening.
The venue key used to decrypt the age_verified tier is scoped to Bar Alcazar. If Bar Alcazar shares their decrypted output with Bar Verde, Bar Verde receives an assertion with a disclosure token bound to Bar Alcazar's key — the assertion is not transferable and cannot be verified by Bar Verde's endpoint.
The registry witnesses the disclosure event — without seeing who Pita is
The process integrity guardian receives a routing notification and logs the disclosure event. It sees: a disclosure token was presented at a registered venue at a timestamp. It does not hold the age_verified tier key or the identity tier key.
The registry log entry for this disclosure is public and verifiable. A regulatory audit of Bar Alcazar can confirm that age verification was performed at 18:47:23 and that a valid disclosure token was presented. The audit cannot determine from the registry log whose token it was — the registry does not hold that information.
Two hours later — Pita arrives at Bar Verde. His device derives a second, independent disclosure token.
Pita's device derives a completely different disclosure token for Bar Verde. The new token shares no material with disc_alcazar_e4b1. Bar Verde receives a venue-scoped disclosure they can verify. Bar Alcazar's disclosure is expired and irrelevant to this check.
Pita Faleolo · first party
Second derivation
ik_faleolo · same persistent key
↓ new per-venue per-session token
disc_verde_9c3a
independent of disc_alcazar_e4b1
valid: 4 hours · Bar Verde only
disclosure envelope · disc_verde_9c3a
Verifier · Bar Verde
Receives disclosure
holds venue tier key (Bar Verde)
identity tier: sealed
cannot link to Alcazar check
The two disclosure tokens are derived from the same persistent key, but they are cryptographically independent. Bar Verde cannot compute disc_alcazar_e4b1 from disc_verde_9c3a. Bar Alcazar cannot compute disc_verde_9c3a from disc_alcazar_e4b1. Neither token reveals the persistent key from which both were derived.
Bar Verde verifies Pita is over 21 — from a completely different disclosure token
Bar Verde's bouncer sees the same result: over 21: yes. They see a disclosure token that is different from anything Bar Alcazar holds. They cannot cross-reference with Bar Alcazar's records to confirm they are checking the same person.
age_verified tier — accessible to Bar Verde
disclosure_iddisc_verde_9c3a
over_21yes
age_bracket25–34
valid_until00:31 tonight · Bar Verde only
legal_name— sealed in identity tier —
government_id— sealed in identity tier —
Bar Verde holds disc_verde_9c3a. Bar Alcazar holds disc_alcazar_e4b1. Neither can determine whether these disclosures came from the same person. If both venues shared their disclosure records with a third party, that third party would see two valid age-verification events, at two venues, at two timestamps — with no common identifier linking them.
The architectural moment: two verified disclosures, structurally impossible to link without Pita's device
A regulatory audit confirms both bars complied with age verification. The audit cannot link the two disclosures to the same person. If Pita's device participates, he can generate a linking proof. No third party can generate it for him.
link_proof_check:
disc_alcazar_e4b1: derived from ik_faleolo + alcazar_seed
disc_verde_9c3a: derived from ik_faleolo + verde_seed
common_root: ik_faleolo (on device only)
linkable WITHOUT device: no
linkable WITH device: yes (Pita generates linking proof on request)
audit can confirm: both disclosures valid, same age bracket
audit cannot confirm: same person, without device participation
Cross-disclosure unlinkability holds as a structural property. No party — not Bar Alcazar, not Bar Verde, not the registry, not a data aggregator holding both disclosure records — can link disc_alcazar_e4b1 and disc_verde_9c3a to Pita Faleolo without Pita's device generating a specific linking proof. That proof is under Pita's sole control.
Regulatory compliance is preserved. Both bars can demonstrate to a licensing authority that valid age verifications were performed, at the correct timestamps, using cryptographically verifiable disclosure tokens. The licensing authority does not need to know whose tokens they were to confirm compliance.