Private.Me Platform

Core Concepts

How XorIDA threshold sharing works. Information-theoretic security over GF(2) — no keys, sub-millisecond, quantum-proof by design.

What is XorIDA?

XorIDA is a threshold secret sharing algorithm operating over the binary field GF(2). It splits data into shares such that any k shares can reconstruct the original, but fewer than k shares reveal nothing. Unlike encryption, XorIDA provides information-theoretic security — mathematically provable protection that cannot be broken, even with unlimited computational power.

k-of-n Threshold

Choose any reconstruction threshold. Common patterns: 2-of-2 (split-channel), 2-of-3 (fault-tolerant), 3-of-5 (high-security quorum).

Sub-Millisecond

XOR operations over GF(2) are the fastest cryptographic primitive. Typical payloads split in <1ms. 1MB splits in ~33ms (2-of-2).

No Keys

Zero key management. No key derivation, no key rotation, no key compromise. Shares are self-contained — no external state required.

Quantum-Proof

Unconditionally secure. Shor's algorithm and Grover's algorithm are irrelevant. Security holds regardless of future computational advances.

This makes XorIDA ideal for machine-to-machine communication, split-channel protocols, and any scenario where encryption keys create operational risk. Private.Me builds all 205 ACIs on this foundation.

How it works

XorIDA threshold sharing involves four critical steps. Each step must execute in order for secure reconstruction.

Split The original data is encoded into n shares using XOR operations over GF(2). Each share is the same size as the original. Any k shares can reconstruct the original via XOR combination.
Distribute Shares are transmitted over separate channels. For example, in a 2-of-2 protocol, share 1 goes via email while share 2 goes via SMS. An attacker seeing only one channel gains zero information about the original data.
HMAC Verify After reconstruction, the HMAC-SHA256 signature is verified on the reconstructed data. This ensures the reconstructed data was not tampered with. If verification fails, the data is rejected before unpadding.
Reconstruct Once all k shares are verified, they are XOR-combined to recover the original data. The result is bit-for-bit identical to the original input.

⚠️ Critical Security Rule

HMAC verification happens on the reconstructed data before unpadding. No exceptions. This prevents use of tampered data — verification happens immediately after reconstruction, before any unpadding or processing. All Private.Me implementations enforce this ordering.

Why not Shamir's Secret Sharing?

Shamir's Secret Sharing is the most widely known threshold scheme, but it operates over large prime fields and requires computationally expensive modular arithmetic. XorIDA operates over GF(2), using only XOR — the simplest and fastest operation.

Property	XorIDA (GF(2))	Shamir's (GF(prime))
Field	GF(2) — binary field	GF(2²⁵⁶) or GF(prime)
Speed	<1ms typical, ~33ms for 1MB	500–2000× slower
Operations	XOR only	Modular arithmetic (mul, inv, add)
Embedded support	Yes — minimal CPU requirements	Limited — requires big-integer support
Key management	None	Prime selection, coefficient generation
Quantum-proof	Unconditionally secure	Unconditionally secure
Patent status	US 11,972,000 B2 (issued April 2024)	Public domain (Shamir 1979)

Both schemes provide information-theoretic security. XorIDA is chosen for speed, simplicity, and zero key management. Shamir's is documented in the Private.Me patent as an alternative embodiment, but is not implemented in production.

Agent identity

Private.Me agents use Ed25519 for signing and X25519 for Diffie-Hellman key agreement. Each agent has a self-certifying decentralized identifier (DID) in the did:key format. No central registry, no certificate authority, no trust anchor required.

The DID is derived directly from the agent's Ed25519 public key using multibase encoding. It looks like this:

did:key:z6MkhaXgBZDvotDkL5257faiztiGiC2QtKLGpbnnEGta2doK

This provides non-repudiation (every message is cryptographically signed) and forward secrecy (ephemeral X25519 keys are generated per-session using ECDH, then discarded after use). The combination ensures that even if an agent's signing key is compromised, past sessions remain secure.

Example: Creating an agent

const agent = await Agent.create()
console.log(agent.did)
// did:key:z6MkhaXgBZDvotDkL5257faiztiGiC2QtKLGpbnnEGta2doK

The agent's identity is its DID. All authentication, authorization, and message verification use this DID as the trust root. No API keys, no bearer tokens, no shared secrets.

Envelope format

Every Private.Me message is wrapped in a standardized envelope format called Envelope V1. The envelope uses encrypt-then-sign — the payload is encrypted with AES-256-GCM, then the entire envelope (including encrypted ciphertext) is signed with Ed25519.

Envelope structure:

Field	Type	Description
version	uint8	Envelope format version (currently `1`)
sender	DID string	Sender's `did:key` identifier
recipient	DID string	Recipient's `did:key` identifier
encrypted	bytes	AES-256-GCM ciphertext of the payload
signature	bytes (64)	Ed25519 signature covering all fields above
nonce	bytes (12)	AES-GCM nonce (unique per message)
shareIndex	uint8	This share's index (1-based)
shareCount	uint8	Total number of shares (`n`)
threshold	uint8	Minimum shares needed to reconstruct (`k`)
hmac	bytes (32)	HMAC-SHA256 over the share data

The envelope is serialized using Type-Length-Value (TLV) encoding for wire transmission. The first 4 bytes are the magic number 0x49444135 ("IDA5" in ASCII), which identifies the format as an XorIDA share envelope.

On the receiving side, the signature is verified first, then the HMAC, then the ciphertext is decrypted. If any verification step fails, the envelope is rejected before reconstruction begins.

See it in action

Split, tamper, verify, reconstruct — all in your browser.

Try the playground →