]> WritersLogic Inc

San Diego, California United States david@writerslogic.com

Security Remote ATtestation procedureS attestation RATS provenance authorship This document specifies the Proof of Process (PoP) Evidence Framework, a specialized profile of Remote Attestation Procedures (RATS) designed to validate the provenance of effort in digital authorship. Unlike traditional provenance, which tracks file custody, PoP attests to the continuous physical process of creation. The protocol defines a cryptographic mechanism for generating Evidence Packets utilizing a composite Sequential Work Function (SWF) to enforce temporal monotonicity and Cross-Domain Constraint Entanglement (CDCE) to bind behavioral entropy (human jitter) and physical state to the document. Technical specifications for wire formats, sequential work functions, and hardware-anchored trust are provided.

Introduction The rapid proliferation of generative artificial intelligence has created an authenticity crisis in digital discourse. While traditional provenance tracks the "custody of pixels," it fails to attest to the human-driven process of creation. This document specifies the Proof of Process (PoP) protocol, which extends the RATS architecture to validate the "provenance of effort." Unlike traditional attestation which captures static system state, PoP attests to a continuous physical process. It introduces Proof of Biological Space-Time (PoBST) to enforce temporal monotonicity and Cross-Domain Constraint Entanglement (CDCE) to bind behavioral entropy (human jitter) and physical state (thermodynamics) to the document's evolution. By entangling content hashes with these physical constraints, this protocol enables an Attester to generate an Evidence Packet (.pop) that imposes quantifiable cost on forgery of authorship claims, preserving privacy by design without disclosing document content.

Requirements Language The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 when, and only when, they appear in all capitals, as shown here.

System Model This section defines the PoP system model in terms of the RATS architecture and identifies where PoP diverges from standard remote attestation assumptions.

RATS Entity Roles PoP maps to RATS entity roles as follows:

Attester:

The authoring application and its host platform. The Attester generates Evidence Packets (.pop) containing behavioral entropy, physical state markers, and SWF proofs. Unlike traditional RATS deployments, the Attester in PoP is operated by the entity whose claims are being verified (the author).

Attesting Environment (AE):

The software and hardware components that collect telemetry and generate cryptographic bindings. This includes the authoring application, operating system interfaces for entropy collection, and hardware Secure Elements (TPM/SE) when available.

Verifier:

An entity that appraises Evidence Packets and produces Attestation Results (WAR). Verifiers may be operated by publishers, platforms, or independent third parties. Verifier logic is specified in .

Relying Party:

Consumers of WAR Results who make trust decisions based on the appraisal. This includes publishers, readers, or automated systems that need authenticity assurance.

Endorser:

Entities that provide Reference Values for verification. In PoP, this includes hardware manufacturers (TPM endorsement certificates) and the PoP specification itself (defining expected behavioral patterns).

Compatibility with RATS Architecture PoP implements a specialized RATS profile with a critical trust inversion: in traditional remote attestation, the Attester is a device whose owner (Relying Party) wants assurance about its state. The adversary is typically external -- malware, network attackers, or supply chain threats. In PoP, the Attester is operated by the author, and the Relying Party (publisher, reader) has no privileged access to the authoring environment. The primary adversary is the Attester operator themselves. This fundamental inversion shapes the entire security model:

• Evidence must be unforgeable by the entity generating it
• Temporal claims must be bound to physical constraints the Attester cannot circumvent
• Behavioral entropy must be computationally expensive to simulate
• Hardware attestation provides value only when the hardware root of trust is genuinely inaccessible to the Attester operator

Despite this inversion, PoP maintains compatibility with RATS message flows and data formats, enabling integration with existing RATS infrastructure where appropriate.

Threat Model This section defines the adversary model following the methodology of and incorporating insights from RATS security analysis . The threat model assumes a Dolev-Yao style adversary with domain-specific constraints.

Adversarial Attester Model The PRIMARY threat in PoP is an adversarial Attester -- an author who controls the Attesting Environment and seeks to generate Evidence for content they did not authentically author. This inverts the standard RATS trust assumption where the Attester is trusted to report honestly. The adversarial Attester has the following capabilities:

• Full software control: Can modify, instrument, or replace any software component including the authoring application and operating system
• Timing manipulation: Can adjust system clocks, virtualize execution environments, and attempt to compress or expand apparent time
• Entropy injection: Can inject synthetic behavioral data (keystroke timing, jitter sequences) from pre-recorded or generated sources
• Content pre-generation: Can generate document content using AI tools or other assistance before initiating the attestation session
• Parallel execution: Can run multiple attestation sessions simultaneously or use distributed resources

The adversary is constrained by:

• Physics: Cannot violate thermodynamic laws or accelerate hardware beyond physical limits
• Memory bandwidth: MHSF computations are bounded by available memory bandwidth
• Hardware isolation: In T3/T4 tiers, cannot extract keys from Secure Elements without physical tampering
• Economic rationality: Will not expend resources exceeding the value of successful forgery

Security Goals PoP provides the following authentication properties, defined in terms of adversary advantage:

Temporal Authenticity:

Given Evidence claiming authorship duration D, an adversary cannot produce valid Evidence in time significantly less than D. Formally: Adv_temporal = Pr[Verify(E) = accept AND Time(Generate(E)) < D - epsilon] is negligible for meaningful epsilon.

Behavioral Authenticity:

Given Evidence containing behavioral entropy B, an adversary cannot efficiently generate synthetic entropy that is indistinguishable from biological origin. The cost of generating synthetic behavioral data satisfying all forensic constraints MUST exceed a defined threshold.

Content Binding:

Evidence E is cryptographically bound to document D such that E cannot be repurposed to attest a different document D'. This property is unconditional given collision resistance of SHA-256.

Non-repudiation (T3/T4):

In hardware-bound tiers, Evidence is signed with keys that the Attester cannot extract or duplicate, providing non-repudiation of the attestation act.

Attack Taxonomy The following attacks are in scope for PoP defenses:

Retype Attack The canonical forgery attack against PoP: an adversary generates content using AI or other assistance, then retypes the pre-existing content while collecting "authentic" behavioral telemetry. This attack exploits the gap between typing existing text and composing original text. PoP defends against retype attacks through:

• Cognitive Load Correlation: Authentic composition exhibits increased inter-keystroke intervals during high-complexity passages. Retyping known text shows uniform timing regardless of content complexity. Evidence with semantic-timing correlation r < 0.2 is flagged for additional scrutiny (see ).
• Error Topology: Authentic authoring exhibits characteristic error patterns (hesitations, deletions near recent insertions, self-corrections). Retyping from reference exhibits either unnaturally low error rates or artificially injected errors lacking positional correlation.
• Semantic-Temporal Binding: The SWF proof binds the document's semantic evolution to wall-clock time. Retyping requires real-time effort proportional to document length, even if content was pre-generated.

Retype attacks remain economically viable for short documents. The forgery cost scales with document length and checkpoint frequency, providing graduated assurance rather than binary security.

Replay Attack Attempting to reuse previously valid Evidence for new claims. Defeated by Physical Freshness anchors that bind Evidence to non-reproducible physical state (thermal trajectories, kernel entropy samples).

Relay Attack Forwarding challenges or Evidence between a legitimate author and an adversary's session. In PoP, this manifests as claiming credit for another author's work. Defeated by hardware-bound signing (T3/T4) and out-of-band presence challenges that verify physical proximity.

SWF Acceleration Attack Using specialized hardware to compute SWF proofs faster than consumer hardware. Mitigated by Argon2id's memory-hardness (computation bounded by memory bandwidth, not ALU throughput) and Hardware-Anchored Time in T3/T4 tiers.

AE Spoofing Presenting a virtualized or modified Attesting Environment as genuine. In T1/T2 tiers, this is possible and Evidence should be weighted accordingly. T3/T4 tiers require hardware attestation that is difficult to spoof without physical access to the Secure Element.

Diversion Attack An adversary redirects Evidence intended for one Verifier to a different Verifier or Relying Party context. PoP Evidence Packets do not inherently bind to a specific Verifier identity. When conveyed over TLS, implementations SHOULD use Exported Keying Material to bind Evidence to the transport session. For offline verification, Relying Parties MUST evaluate Evidence provenance through out-of-band channels.

Out-of-Scope Threats The following threats are explicitly out of scope:

• Nation-state HSM compromise: Adversaries capable of extracting keys from certified HSMs via invasive physical attacks
• Physics-level laboratory spoofing: Adversaries capable of simulating thermal trajectories and entropy sources at sub-microsecond precision
• Quantum computation: Attacks requiring large-scale quantum computers (SHA-256 collision, Argon2id inversion)

Core Principles and Claims Building on the threat model defined above, PoP operates on five primary constraints:

• Physics-based Cost: Memory-Hard Sequential Functions (MHSF) establish an economic lower bound on forgery, ensuring consumer hardware remains competitive with specialized ASICs.
• Physical Freshness: Replay and simulation attacks are defeated by anchoring sessions to irreversible physical markers (Thermal Trajectories and Kernel Entropy pools). Every session incorporates Non-deterministic Physical Freshness sampled within the AE at the start of the sequential work function execution.
• Biological Binding: Captured human motor-signal randomness (jitter) serves as the non-deterministic seed for the spacetime proof.
• Out-of-Band Presence: Utilizing secondary physical devices (e.g., smartphone QR scans) to bridge the digital-physical gap and ensure a human is in the loop.
• Asymmetric Verification: The sequential work function allows proofs to be verified probabilistically via Merkle-sampled audit proofs, ensuring scalability and DoS resistance.

Protocol Rationale and Terminology The Proof of Process (PoP) framework follows the RATS architecture while introducing domain-specific extensions for physical process attestation.

PoP Evidence Packet (.pop):

An Attester artifact containing Merkle trees, PoBST traces, and physical liveness markers (CBOR tag 1347571280, encoding ASCII "POP ").

WAR Result (.war):

A Verifier Attestation Result containing signed EAT claims and forensic assessments (CBOR tag 1463894560). The WAR format is specified in .

PoBST:

Proof of Biological Space-Time. A memory-hard sequential function with probabilistic verification, entangled with human jitter.

CDCE:

Cross-Domain Constraint Entanglement. The method of weaving jitter and thermodynamics into the cryptographic chain.

SWF:

Sequential Work Function. The composite construction combining Argon2id and iterated SHA-256 (see ).

Attester State Machine The Attesting Environment (AE) MUST implement the following formal state machine:

• RECORDING: AE captures semantic events and physical telemetry into a hash-linked buffer. Events are appended and the block hash is updated.
• PENDING_CHECK: The current event block is frozen to prepare for a checkpoint. No new events are accepted into this block.
• CHECKPOINT: AE computes the SWF over the entangled seed (previous hash + current jitter + physical markers).
• SEALING: The Attester generates a final snapshot, signs the transcript root with a hardware Secure Element (TPM/SE), and prepares the transport container (.pop).

Evidence Content Tiers PoP Evidence packets are classified by the depth of behavioral and forensic data collected:

CORE (Tier Value 1):

Checkpoint chain with PoBST proofs, SHA-256 content binding, and physical freshness anchors. Proves temporal ordering and content integrity.

ENHANCED (Tier Value 2):

All CORE components plus behavioral entropy capture (Jitter Seals) and intra-checkpoint correlation. Adds evidence of interactive authoring behavior.

MAXIMUM (Tier Value 3):

All ENHANCED components plus CDCE, error topology analysis, and forgery cost bounds. Provides the strongest available evidence.

Attestation Assurance Levels The attestation tier system maps to established assurance frameworks including NIST SP 800-63B Authenticator Assurance Levels (AAL), ISO/IEC 29115 Levels of Assurance (LoA), and Entity Attestation Token (EAT) security levels as defined in .

Tier T1: Software-Only

Binding Strength:

none or hmac_local

NIST AAL Mapping:

AAL1

Security Properties:

• SWF timing provides temporal ordering
• Hash chains provide tamper evidence
• Jitter entropy provides behavioral binding
• No hardware root of trust; keys stored in software

Tier T2: Attested Software T2 extends T1 with optional hardware attestation hooks. The AE attempts to use platform security features (Keychain, DeviceCheck) but degrades gracefully. Maps to AAL2.

Tier T3: Hardware-Bound Requires TPM 2.0 or platform Secure Enclave key binding. Evidence generation MUST fail if hardware is unavailable. Maps to AAL3.

Tier T4: Hardware-Hardened Discrete TPM + PUF binding + Enclave execution. Anti-tamper evidence required. Exceeds AAL3 requirements; maps to ISO/IEC 29115 LoA4.

Profile Architecture The PoP specification defines three implementation profiles that establish Mandatory-to-Implement (MTI) requirements for interoperability.

Feature ID	Feature Name	CORE	ENHANCED	MAXIMUM
1	swf-argon2id-sha256	M	M	M
2	content-binding	M	M	M
4	checkpoint-chain	M	M	M
50	behavioral-entropy	O	M	M
105	hardware-attestation	O	O	M

Conformance Requirements A conforming Attester MUST implement at least the CORE profile. A conforming Verifier MUST be capable of validating all three profiles. Verifiers encountering unknown fields MUST ignore them and proceed with validation of known fields.

Evidence Format and CDDL Evidence Packets are CBOR-encoded and identified by semantic tag 1347571280. The CDDL notation is used to define the wire format. uint, ; version (MUST be 1) 2 => tstr, ; profile-uri 3 => uuid, ; packet-id 4 => pop-timestamp, ; created 5 => document-ref, ; document 6 => [+ checkpoint], ; checkpoints ? 7 => attestation-tier, ; T1-T4 ? 8 => [* tstr], ; limitations ? 9 => profile-declaration, ; profile ? 10 => [+ presence-challenge], ; QR/OOB proofs ? 18 => physical-liveness, ; CDCE markers } checkpoint = { 1 => uint, ; sequence (monotonic) 2 => uuid, ; checkpoint-id 3 => pop-timestamp, ; timestamp (local) 4 => hash-value, ; content-hash 5 => uint, ; char-count 6 => edit-delta, ; delta 7 => hash-value, ; prev-hash 8 => hash-value, ; checkpoint-hash 9 => process-proof, ; SWF proof 10 => jitter-binding, ; behavioral-entropy 11 => physical-state, ; CDCE Weave 12 => bstr .size 32, ; entangled-mac } document-ref = { 1 => hash-value, ; content-hash ? 2 => tstr, ; filename 3 => uint, ; byte-length 4 => uint, ; char-count ? 5 => hash-salt-mode, ; salting mode ? 6 => bstr, ; salt-commitment } process-proof = { 1 => proof-algorithm, ; algorithm id 2 => proof-params, ; SWF params 3 => bstr, ; input (seed) 4 => bstr, ; output (root) 5 => [+ merkle-proof], ; sampled proofs 6 => float32, ; claimed-duration } ; Subsidiary type definitions attestation-tier = &( software-only: 1, attested-software: 2, hardware-bound: 3, hardware-hardened: 4, ) proof-algorithm = &( sha256-chain: 1, pobst-argon2id: 20, ) hash-salt-mode = &( unsalted: 0, author-salted: 1, ) proof-params = { 1 => uint, ; time-cost (t) 2 => uint, ; memory-cost (m, KiB) 3 => uint, ; parallelism (p) 4 => uint, ; iterations } jitter-binding = { 1 => [+ float32], ; intervals (ms) 2 => float32, ; entropy-estimate (bits) 3 => bstr .size 32, ; jitter-seal (HMAC) } merkle-proof = { 1 => uint, ; leaf-index 2 => [+ bstr .size 32], ; sibling-path 3 => bstr .size 32, ; leaf-value } edit-delta = { 1 => int, ; chars-added 2 => int, ; chars-deleted 3 => uint, ; op-count ? 4 => [* edit-position], ; positions } edit-position = [ uint, ; offset int, ; change (+/-) ] physical-state = { 1 => [+ float32], ; thermal (relative) 2 => uint, ; entropy-delta ? 3 => bstr .size 32, ; kernel-commitment } physical-liveness = { 1 => [+ thermal-sample], ; thermal trajectory 2 => bstr .size 32, ; entropy-anchor } thermal-sample = [ pop-timestamp, ; sample time float32, ; temperature delta ] presence-challenge = { 1 => bstr, ; challenge-nonce 2 => bstr, ; device-signature 3 => pop-timestamp, ; response-time } profile-declaration = { 1 => tstr, ; profile-id 2 => [+ uint], ; feature-flags } ; Base types uuid = bstr .size 16 pop-timestamp = #6.1(number) hash-value = { 1 => hash-algorithm, 2 => bstr, } hash-algorithm = &( sha256: 1, sha384: 2, sha512: 3, ) ]]>

Checkpoint Hash Computation The checkpoint-hash field MUST be computed as follows: Where || denotes concatenation and CBOR-encode produces deterministic CBOR per Section 4.2 of .

Sequential Work Function PoP uses a composite Sequential Work Function (SWF) combining Argon2id for memory-hardness with iterated SHA-256 for sequential ordering. This construction is NOT a Verifiable Delay Function in the formal sense ; it does not provide efficient public verification of the delay claim from the output alone. Instead, verification relies on Merkle-sampled audit proofs: the Attester commits to a Merkle tree over intermediate states, and the Verifier checks a random subset of state transitions. This provides probabilistic verification in O(k * log n) time where k is the sample count and n is the iteration count.

Construction The SWF is computed as follows: The salt for Argon2id MUST be set equal to the seed value to ensure deterministic output. Implementations MUST NOT use a random salt.

Verification Protocol The Verifier MUST:

1. Recompute Argon2id from the declared seed to obtain state_0
2. For each sampled proof in the Merkle tree, verify the sibling path against the committed root and recompute SHA-256(state_i) to compare against state_{i+1}
3. Verify the final state matches the declared output

A minimum of 20 sampled proofs is REQUIRED for CORE profile. ENHANCED profile requires 50 proofs. MAXIMUM profile requires 100 proofs.

Security Bound An adversary who skips fraction f of iterations will be detected with probability 1-(1-f)^k where k is the number of sampled proofs. With k=20 and f=0.1, detection probability exceeds 0.878. With k=100 and f=0.05, detection probability exceeds 0.994.

Hardware-Anchored Time (HAT) In T3/T4 tiers, the AE MUST anchor the SWF seed to the TPM Monotonic Counter. This prevents "SWF Speed-up" attacks by ensuring that the temporal proof is bound to the hardware's internal perception of time.

IANA Considerations This document requests the following IANA registrations:

CBOR Tags Registration of CBOR tag 1347571280 (encoding ASCII "POP ") for PoP Evidence Packets and tag 1463894560 (encoding ASCII "WAR ") for WAR Results.

SMI Private Enterprise Number This document uses SMI PEN 65074, which has been requested from IANA for WritersLogic Inc. Registration is pending confirmation.

EAT Profile Registration of the EAT profile URI: urn:ietf:params:rats:eat:profile:pop:1.0

Media Types Requests registration of:

• application/vnd.writerslogic-pop+cbor
• application/vnd.writerslogic-war+cbor

Security Considerations This section provides security analysis following guidelines. The threat model is defined in with the adversarial Attester as the primary threat actor. Detailed forensic security analysis is provided in .

Primary Threat: Adversarial Attester Unlike traditional remote attestation where external adversaries threaten system integrity, PoP's primary threat is the Attester operator themselves. The author controls the Attesting Environment and has incentive to claim authenticity for AI-generated or assisted content. This threat model inversion has fundamental implications:

• Software-only attestation (T1) provides minimal assurance since the Attester controls all software
• Cryptographic proofs must be bound to physical constraints the Attester cannot circumvent
• Behavioral entropy must be economically expensive to forge, not merely cryptographically secure
• Trust in Evidence scales with the Attestation Tier and the cost of bypassing its guarantees

Retype Attack Defenses The retype attack (see ) is the canonical forgery vector. Defenses are layered:

Cognitive Load Correlation (CLC):

Verifiers MUST analyze correlation between content complexity and typing cadence. Retyping known text produces flat cognitive load curves; authentic composition shows elevated latency during complex passages. Detection threshold: r < 0.2 correlation flags evidence for additional scrutiny.

Error Topology Analysis:

Authentic authoring produces characteristic error patterns: corrections localized near recent insertions, deletion-to-insertion ratios consistent with human cognitive models , and fractal self-similarity in revision patterns. Retyping produces either unnaturally low error rates or randomly distributed artificial errors.

Temporal Cost:

Even successful retype attacks require real-time effort. A 5,000-word document with 10-second checkpoint intervals requires 8+ hours of continuous typing effort to forge. The attack does not scale economically for high-volume forgery.

Relying Parties MUST understand that retype attacks remain viable for short documents or high-value targets willing to invest real time. PoP provides graduated assurance proportional to document length and checkpoint density.

Relay and Replay Attack Defenses As defined in and , these attacks are defeated through Physical Freshness anchors binding Evidence to non-reproducible physical state:

• Thermal trajectories captured during SWF computation cannot be replayed
• Kernel entropy pool deltas are bound to specific execution moments
• Out-of-band presence challenges (QR scans) verify real-time physical proximity

Verifiers MUST reject Evidence where physical freshness markers are stale, inconsistent with timestamps, or exhibit patterns suggesting simulation.

SWF Acceleration Defenses As analyzed in , specialized hardware attacks are mitigated by:

• Memory-hardness: Argon2id computation is bounded by memory bandwidth (approximately 50 GB/s for DDR5), not ALU throughput. ASICs provide minimal advantage.
• Hardware-Anchored Time (T3/T4): SWF seeds are bound to TPM monotonic counters, preventing time compression even with faster computation.
• Merkle sampling: Skipping SWF iterations is detected probabilistically. With k=100 samples, skipping 5% of iterations has >99.4% detection probability.

Trust Gradation by Tier Relying Parties MUST interpret Evidence according to its Attestation Tier:

T1 (Software-Only):

Provides temporal ordering and content binding only. Adversarial Attester can forge all behavioral claims. Suitable only for low-stakes applications or as supplementary evidence.

T2 (Attested Software):

Adds platform attestation hooks but degrades gracefully. Provides moderate assurance against casual forgery but not determined adversaries.

T3 (Hardware-Bound):

Signing keys are hardware-protected. Forgery requires physical access to the Secure Element. Provides strong assurance for most applications.

T4 (Hardware-Hardened):

Anti-tamper evidence and PUF binding. Forgery requires invasive hardware attacks. Suitable for high-stakes legal or financial applications.

Forgery Cost Bounds Implementations SHOULD report quantified forgery cost estimates in WAR Results. For CORE profile (10,000 iterations, m=65536 KiB):

• Sequential computation time: approximately 45 seconds per checkpoint
• Memory requirement: 64 MiB per concurrent chain
• Energy cost: approximately 0.01 USD per checkpoint at consumer electricity rates

For ENHANCED profile, adversary must additionally satisfy behavioral constraints (CV > 0.15, semantic correlation r > 0.3, error topology matching). These constraints are conjunctive per checkpoint and scale superlinearly with checkpoint count due to session consistency requirements.

Denial of Service SWF verification is asymmetric: Merkle-sampled proofs verify in O(k * log n) versus O(n) generation. Verifiers cannot be overwhelmed by expensive verification requests. Implementations SHOULD implement rate limiting on Evidence submission.

Implementation Security Requirements Conforming implementations MUST:

• Use constant-time comparison for all cryptographic operations
• Zero sensitive memory (keys, jitter data) after use
• Validate all input lengths and formats before processing
• Reject Evidence with inconsistent internal state (e.g., checkpoint-hash verification failure)

T3/T4 implementations MUST additionally:

• Store signing keys exclusively in hardware Secure Elements
• Bind SWF seeds to TPM monotonic counters
• Verify platform integrity before Evidence generation

Privacy Considerations This section addresses privacy in accordance with .

Data Minimization PoP Evidence Packets MUST NOT contain document content. Content binding uses cryptographic hashes (SHA-256) which are computationally irreversible. The author-salted mode (hash-salt-mode=1) provides additional protection by preventing rainbow-table correlation across documents.

Behavioral Fingerprinting Jitter sequences in ENHANCED and MAXIMUM profiles constitute behavioral biometrics. Verifiers MUST NOT:

• Store jitter data beyond the verification session
• Correlate jitter across multiple Evidence Packets to deanonymize authors
• Use jitter data for any purpose other than authenticity verification

Attesters SHOULD quantize jitter values to reduce fingerprinting precision while preserving statistical validity. A minimum quantization of 5ms is RECOMMENDED.

Physical State Leakage Thermal trajectories and kernel entropy deltas in the physical-state field may reveal information about the Attester's hardware configuration. Implementations SHOULD normalize thermal data to relative deltas rather than absolute values to prevent device fingerprinting.

Unlinkability Authors who wish to remain pseudonymous SHOULD use per-document signing keys and the author-salted content binding mode to prevent cross-document linkage.

References Normative References Informative References

Appendix A: SWF Test Vectors The following test vectors validate SWF implementations. The salt for Argon2id is set equal to the seed.