A worked example of randomized cryptographic routing, identity-blind decision-tier construction, and adversarial-argument cryptographic gating in the judicial authorization variant of the ABT methodology family.
The ABT-W variant applies the foundational envelope-tier architecture to multi-decision-maker authorization, with the federal wiretap application as the canonical scenario. The variant-specific architectural elements are: randomized cryptographic routing of authorization requests to decision-makers from a registered pool such that the requesting party cannot influence assignment; adversarial argument as cryptographic precondition to the construction of the decision tier, such that the panel cannot proceed without a registered defense argument signature; and an identity-blind decision tier, in which the target identifier is authored out of the projection accessible to the deciding panel and remains sealed in the operational tier until a separate cryptographically witnessed execution event. This memorandum follows a single authorization through the protocol from application to execution.
The application is constructed at the prosecutor's endpoint. Target identifying information is encrypted to one tier key. Legal merit content is encrypted to another. The two will travel together but be unsealed separately by different parties.
| Actor | Endpoint | Holds |
|---|---|---|
AUSA Diaz Prosecutor · first party | U.S. Attorney's office | Persistent Ed25519 signing key; per-request symmetric keys derived on demand |
Process integrity guardian Registry · neutral routing authority | Independent oversight body | Routes requests, witnesses events, extends hash-chained log; does not hold decryption material |
The envelope contains two tier-specific projections of the same case. The operational_prosecutor tier holds the full record — target identity, full probable cause, every detail Diaz wrote. The decision_judicial_panel tier holds a version of the case with the target identifier authored out before encryption. The same case, two redactions, locked under two cryptographically independent tier keys.
The process integrity guardian uses a cryptographically secure random draw against the registered judicial pool. Diaz cannot choose. Defense cannot choose. The draw itself is verifiable later by any registered oversight authority.
The draw is deterministic from the registry's signing key and the request identifier. Any oversight authority registered for this tier can reproduce the draw from the registry's hash-chained log and confirm that selection was not steered. The registry does the routing. It does not decide. It does not see the case facts — it sees only the request identifier and the routing metadata. Diaz, the agent who drafted the affidavit, the President — none of them can substitute Judge Karpinski for Judge Park.
A second randomized draw assigns the adversarial-argument role to a member of the registered defense pool. The decision tier cannot be constructed for the panel until a signed defense argument has been received at the registry.
The defense signature is a cryptographic precondition to the decision tier. The registry will not finalize the decision_judicial_panel tier for transmission to Chen, Reyes, and Park until a valid defense argument has been signed and witnessed. Without it, the panel never sees the case.
This is not a due-process claim wrapped in code. The cryptographic envelope encoded as a decision tier accessible to the panel does not exist as decryptable ciphertext until the registry has received and verified the defense argument signature. Skip the defense, and there is no panel envelope to read.
Chen, Reyes, and Park receive the decision-tier projection. The target identifier was authored out at encryption time. They have probable cause, prosecution argument, defense argument, statute, and intercept scope. They do not have, and cannot derive, who the application is about.
The constitutional question — does this probable cause support intercept of this scope under this statute — is the only question the panel is equipped to answer. The political question — is this the kind of person we like — was never put to them.
The judges' tier-specific keys can decrypt the decision tier and nothing else. They cannot decrypt the operational tier, where target identity lives. They cannot decrypt other oversight tiers. The cryptographic boundary at the cipher level enforces what discovery rules attempt to enforce by policy in the existing system.
Each judge decrypts the decision tier on their own endpoint, decides, and signs their decision with their persistent tier key. The registry computes majority. The authorization is cryptographically signed and witnessed.
| Judge | Decision | Signature |
|---|---|---|
Judge Chen Panel · pool #12 | Grant | dec_chen_8a3c |
Judge Reyes Panel · pool #28 | Grant | dec_reyes_8a3c |
Judge Park Panel · pool #41 | Deny | dec_park_8a3c |
The authorization was granted on legal merit alone. To execute it, the FBI field officer combines the registry-witnessed authorization with the operational tier they decrypt at their own endpoint. Identity and authorization come together for the first time at execution, under a fresh registry countersignature.
| Actor | Action | Result |
|---|---|---|
SA Brooks Executing officer | Receives auth_8a3c; decrypts operational_prosecutor | subj_3kf2 → Hiroshi Tanaka, mobile #1 → +1-415-555-0172 |
Process integrity guardian Registry | Receives execution event; countersigns | exec_brooks_8a3c linked to auth_8a3c in hash chain |
The target's identity met the authorization for the first time at execution, in the field, under a registry countersignature. Chen, Reyes, and Park never knew it was Tanaka. They never can — their tier keys cannot decrypt the operational tier.
If the same authorization were ever applied to a different target, the registry would require a fresh execution event, fresh countersignature, fresh hash-chain entry, all publicly auditable. The 90-day intercept window begins at the execution event. When it expires, the operational tier remains but the authorization tier's per-event keys cease to be released. Continued execution requires a new application.
Cryptographic claim summary. The variant-specific architectural elements claimed in the ABT-W disclosure are: (a) randomized cryptographic routing of authorization requests to decision-makers through a cryptographically secure random draw against a registered pool; (b) adversarial argument as cryptographic precondition to construction of the decision-tier projection; (c) identity-blind decision tier with target identifying information authored out of the projection before encryption to the panel's tier keys; (d) multi-decision-maker concurrency with majority determination computed at the registry from independently signed decisions; (e) time-delayed public-aggregate post-case disclosure with cryptographically committed disclosure timestamps. The foundational mechanism — first-party-side encryption, callback-mediated key release, registry-routed restoration, forward-only tier activation, per-tier projection, tamper-evident hash-chained logs — is inherited from the foundational specification.