xWallet: The Credential Engine Behind Ephemeral Identity

Section 01

The Problem: Credential Infrastructure Has No Cryptographic Foundation

Digital credentials are stored in centralized databases protected by encryption keys. A single key compromise exposes millions of records. Existing credential libraries are not designed for the microsecond reconstruct-disclose-purge cycle that unlinkable identity demands.

Three Infrastructure Failures

1. Key-dependent security. Every existing credential wallet encrypts data with a single key. Compromise that key — through theft, side-channel attack, or a future quantum computer — and every credential is exposed. This is the harvest-now-decrypt-later threat: adversaries collect encrypted credential stores today and decrypt them when quantum computers arrive. Key-dependent security has a defined expiry date.

2. No tamper-evident audit trail. When a credential is issued, stored, presented, or revoked, there is no cryptographic chain linking these events. Regulated industries (healthcare, finance, government) require proof that credentials were handled correctly. Most credential systems offer server-side logs that are mutable, deletable, and disconnected from the credential crypto.

3. Not designed for microsecond operations. Ephemeral identity requires reconstructing a credential, selecting attributes, and verifying integrity within a ~50 microsecond window. Existing credential libraries are built for millisecond-to-second response times. They cannot serve as the engine for a pipeline that must reconstruct, disclose, and purge before the next presentation.

Infrastructure Comparison

Infrastructure	Quantum-Safe Storage?	Microsecond Reconstruct?	Audit Chain?	Selective Disclosure?
JWT Libraries	No — AES/RSA keys	N/A (no split)	No	No
Aries Framework	No — key-based	No	Partial	Yes (AnonCreds)
SpruceID	No — key-based	No	No	Partial
walt.id	No — key-based	No	No	Partial
xWallet	Yes — IT-secure	~35µs	HMAC chain	Attribute-level

Section 02

The Solution: Information-Theoretic Credential Infrastructure

Every credential flows through a deterministic pipeline: issue, serialize, pad, HMAC-authenticate, XorIDA-split. Each credential is independently split. No single share contains enough to reconstruct any credential.

Nine built-in credential schemas cover government, education, health, finance, and professional domains. Signing functions are injected — xWallet handles the credential crypto pipeline, not key management. Your application provides the signing function; xWallet provides everything else.

Selective disclosure operates at the attribute level. When a verifier requests specific attributes, xWallet reconstructs only the requested fields. A relying party checking age verification never sees the full credential. The holder controls what is revealed, and the verifier receives a cryptographic proof that the disclosed attributes are authentic.

Enabling Ephemeral Identity

xWallet's ~35 microsecond credential reconstruction is the foundation of xID's ~50 microsecond ephemeral presentation window. When xID derives a per-verifier ephemeral DID and needs to present a credential, xWallet is the engine that reconstructs from shares, verifies HMAC integrity, selects requested attributes, and packages the disclosure — all before xID signs with the ephemeral key and purges. Without microsecond-grade credential infrastructure, ephemeral identity is architecturally impossible.

Design Principle

xWallet is credential infrastructure, not a consumer wallet. It provides the issuance, serialization, storage, presentation, and revocation pipeline. Consumer-facing wallets (like xID) build on xWallet for UX, import flows, ephemeral identity, and backup. xWallet is the engine. xID is the car.

Section 03

Architecture

Credentials flow through a deterministic pipeline: issue, serialize, pad, authenticate, split, and store. Retrieval reverses the pipeline with HMAC verification at every stage.

Credential Pipeline

Combined xWallet + xID Pipeline

When an ephemeral presentation occurs, the xWallet retrieve pipeline feeds directly into xID's ephemeral derivation. The combined flow: xWallet reconstruct (~35µs) → HMAC verify → Unpad + deserialize → HKDF derive (~5µs) → Ed25519 keygen (~8µs) → Select attributes + sign (~2µs) → Purge (~1µs). Total: ~50µs. The credential never exists in decrypted form for longer than it takes to disclose the requested attributes.

Binary Credential Format

Binary Layout

[version:1][idLen:2][id][schemaIdLen:2][schemaId][issuerLen:2][issuer]
[subjectLen:2][subject][issuedAt:8][hasExpiry:1][expiresAt:8?]
[sigLen:2][signature][attrCount:2][...attributes]

// Attribute types
string(0)  number(1)  boolean(2)  bytes(3)

Padding: PKCS7 with b=p-1

Before HMAC computation and XorIDA splitting, every serialized credential is padded using PKCS7 with block size b = p − 1 where p is the XorIDA prime parameter. This ensures the padded payload is always a valid input length for the splitting algorithm while preventing length-based metadata leakage across shares.

Section 04

Benchmarks

At typical credential sizes (<1 KB), XorIDA splitting is 2–11x faster than AES-256-GCM. The full retrieve pipeline completes in ~60 microseconds.

XorIDA Split Performance

Payload Size	XorIDA Split	AES-256-GCM	Speedup
64 bytes	~14µs	~160µs	11.4x
256 bytes	~35µs	~122µs	3.5x
1 KB	~58µs	~140µs	2.4x

Full Credential Operations

Operation	Latency	Notes
Reconstruct from k shares	~35µs	GF(2) XOR operation — near memory bandwidth
HMAC-SHA256 verify	~5µs	Per-share + whole-payload verification
Full retrieve (reconstruct + HMAC + unpad + deserialize)	~60µs	Complete credential recovery pipeline
Store (serialize + pad + HMAC + split)	~80µs	Complete credential storage pipeline
Selective disclosure (full retrieve + attribute selection)	~65µs	Only requested attributes extracted

~14µs

64B split time

11.4x

Faster than AES (64B)

0 bits

Per-share leakage

~60µs

Full retrieve

Section 05

ACI Surface

Schema registration, credential issuance, split storage, retrieval, selective disclosure, and revocation. The full credential lifecycle in six functions. Every function returns a Result<T, E>.

Issue + Store

import { issueCredential, storeCredential } from '@private.me/xwallet';

// Issue a credential with injected signing function
const issued = await issueCredential({
  schemaId: 'government-id',
  issuerDid: 'did:key:z6Mk...',
  subjectDid: 'did:key:z6Mn...',
  attributes: {
    fullName: 'Jane Doe',
    dateOfBirth: '1990-03-15',
    nationality: 'US',
  },
  signingFn,  // injected — no key management baked in
});

// Store — serializes, pads, HMACs, XorIDA-splits into k-of-n shares
const stored = await storeCredential(issued.value);

Retrieve + Present + Feed to xID Ephemeral

// Retrieve — reconstructs from k shares, verifies HMAC, deserializes
const credential = await retrieveCredential(stored.value);

// Present — selective disclosure of requested attributes only
const presentation = await createPresentation({
  credential: credential.value,
  request: { attributes: ['dateOfBirth', 'nationality'] },
  signingFn,
});

// Or feed into xID ephemeral presentation pipeline:
// xWallet retrieves credential shares → xID derives ephemeral DID
// → signs with ephemeral key → purges all material

issueCredential(opts: IssueConfig): Promise<Result<VerifiableCredential, WalletError>>

Issues a verifiable credential. Validates the schema, populates typed attributes, timestamps issuance, computes the issuer signature via the injected signingFn, and returns a signed Credential object ready for storage.

storeCredential(credential: VerifiableCredential): Promise<Result<StoredCredentialShares, WalletError>>

Serializes into deterministic binary format, pads with PKCS7 (b=p-1), computes HMAC-SHA256 over the padded payload, splits via XorIDA into k-of-n shares. Returns a StorageHandle referencing the shares and their HMAC tags. ~80µs for typical credentials.

retrieveCredential(handle: StoredCredentialShares): Promise<Result<VerifiableCredential, WalletError>>

Reconstructs from k shares. Verifies HMAC-SHA256 on each share before reconstruction, verifies whole-payload HMAC after reconstruction, strips padding, deserializes binary format, verifies issuer signature. ~60µs for typical credentials.

createPresentation(opts: PresentOpts): Promise<Result<Presentation, WalletError>>

Creates a selective disclosure presentation. Only requested attributes are included in the output. Signs with the holder's signingFn and packages with proof chain. Unrequested attributes never leave the wallet.

verifyPresentation(pres: Presentation, verifyFn): Promise<Result<PresentationVerification, WalletError>>

Verifies holder signature and issuer signature chain. Checks that disclosed attributes match the presentation request. Validates expiry and revocation status.

RevocationRegistry.revoke(credentialId: string): Promise<Result<void, WalletError>>

Marks a credential as revoked in the HMAC-chained revocation registry. Subsequent verifyPresentation calls return a revocation error. Append-only and tamper-evident via HMAC chain integrity.

Schema Interface

// 9 built-in schemas
getBuiltInSchemas();
// → government-id, drivers-license, passport, diploma,
//   health-certificate, vaccination-record, professional-license,
//   financial-kyc, insurance-policy

// Create and register custom schemas
const schema = createSchema('Employee Badge', [
  { name: 'name', type: 'string', required: true },
  { name: 'employeeId', type: 'string', required: true },
  { name: 'department', type: 'string', required: false },
]);
if (schema.ok) registerSchema(schema.value);

Section 06

Use Cases

Infrastructure-perspective use cases aligned with xID's identity verticals. xWallet is the credential layer that makes each vertical possible.

🏛

GOVERNMENT ISSUANCE

National ID Credential Pipeline

Government issuers use xWallet to issue national ID credentials against the built-in government-id schema. Credentials are XorIDA-split at issuance — the issuing authority never holds a reconstructable copy after delivery. Citizens receive shares distributed across independent storage backends. When xID needs to present an ephemeral identity to a verifier, xWallet's ~35µs reconstruction enables the ~50µs presentation window. The HMAC-chained audit log provides government-grade tamper-evident records of every issuance event.

eIDAS 2.0

🏥

HEALTHCARE PIPELINE

HIPAA-Compliant Credential Storage

Vaccination records, prescriptions, and health certificates are issued via xWallet's vaccination-record and health-certificate schemas. Credential shares are split across provider and patient nodes — no single node holds a complete medical credential. Selective disclosure allows pharmacies to verify a prescription without accessing the patient's diagnosis. Revocation on prescription expiry is automatic via the HMAC-chained registry. The audit trail satisfies HIPAA record-keeping and 42 CFR Part 2 substance abuse protections.

HIPAA

💳

FINANCIAL KYC

Split-Stored KYC Credentials

Financial institutions issue KYC credentials via the financial-kyc schema. The credential — containing name, DOB, address, and nationality — is XorIDA-split before it leaves the issuance pipeline. When a customer opens an account at a new bank, xWallet retrieves and selectively discloses only the attributes the bank requires (e.g., name + DOB for age verification, not full SSN). Revocation on account closure is immediate. DORA compliance is satisfied by the information-theoretic storage layer.

KYC / DORA

📦

SOFTWARE LICENSING (ANTI-PIRACY)

Unlinkable License Credential Protection

Software vendors issue license credentials to customers via xWallet. Each activation derives an ephemeral per-device DID from the license holder's master seed — verifiable for the specific device context, but unlinkable across devices. Prevents license sharing and resale while preserving user privacy. Revocation on subscription lapse or TOS violation is immediate. IP protection and revenue assurance without invasive tracking.

License Protection

Section 07

Cross-ACI Composition

xWallet is the credential layer that other ACIs build on. Identity wallets, storage backends, audit proofs, and agent transport all compose with xWallet's credential pipeline.

XID + XWALLET

xID is the ephemeral identity layer built on xWallet infrastructure. xWallet handles credential crypto — serialization, splitting, HMAC integrity, reconstruction, selective disclosure. xID handles the identity layer — per-verifier ephemeral DIDs, consent dialogs, epoch rotation, wallet UX, and encrypted backup. xWallet is the engine. xID is the car. Without xWallet's ~35µs reconstruction, xID's ~50µs ephemeral presentation is architecturally impossible.

XSTORE + XWALLET

xStore provides pluggable backend storage for xWallet's XorIDA shares. Store credential shares across S3, Azure Blob, air-gapped filesystem, or any custom backend. xWallet produces the shares. xStore decides where they live — multi-cloud, multi-jurisdiction, or air-gapped.

XPROVE + XWALLET

xWallet's per-share HMAC tags and HMAC-chained audit log feed into xProve for verifiable computation proofs. Prove that credentials were issued correctly, stored intact, and presented only with holder consent — without revealing the credentials themselves. Upgrade to zero-knowledge proofs when regulators need public verification.

XLINK + XWALLET

xLink provides the M2M transport for credential exchange between agents. xWallet provides the credential format and crypto. When an issuer agent issues a credential to a holder agent, xLink handles the authenticated, encrypted channel. xWallet handles the credential payload inside that channel.

Section 08

Enhanced Identity with Xid

xWallet can optionally integrate with Xid to enable unlinkable credential presentation — verifiable for the specific verifier context, but uncorrelatable across different presentations or verifiers.

Three Identity Modes

Basic (Default)

Static Holder DIDs

One DID per credential holder, persistent across all presentations. Simple, but linkable — same identity can be tracked across verifiers and over time.

Current xWallet behavior

xWallet+ (With Xid)

Ephemeral Per-Presentation DIDs

Each credential presentation gets a unique DID derived from an XorIDA-split master seed. DIDs are unlinkable across verifiers and rotate per epoch. Selective disclosure works per context — same holder, different unlinkable identities per verifier. ~50µs overhead per presentation.

Unlinkable presentation

xWallet Enterprise

K-of-N High-Assurance Credential Issuance

Require 3-of-5 signals (biometric + device TPM + location + time + YubiKey) to issue or present credentials. IAL2/3 assurance levels for medical licenses, financial KYC, government IDs, and educational diplomas. Continuous refresh ensures only authorized holders can present.

IAL2/3 compliance

Integration Pattern

xWallet+ is not a new ACI — it's an integration of two existing ACIs (xWallet + Xid). This demonstrates ACI composability — building blocks combine to create enhanced capabilities without requiring new primitives.

How Ephemeral Presentation Works

In xWallet+ mode, each credential presentation derives a unique DID via HKDF from the holder's XorIDA-split master seed:

Ephemeral Presentation Flow

// Verifier requests credential
const presentation = await wallet.present({
  credential: medicalLicenseVC,
  verifier: 'did:key:z6Mk...', // Hospital DID
  ephemeral: true // Enable Xid integration
});

// Result: unique DID for this verifier + credential + epoch
presentation.holder // did:key:z6MkX... (ephemeral, ~50µs derivation)
// Same doctor presenting to different hospital → different DID
// Same doctor presenting next week → different DID (epoch rotation)

Market Positioning

Target markets: Healthcare (patient credentials, medical licenses), Financial (KYC/AML, credit bureau), Government (national IDs, voter registration, security clearances), Education (diplomas, transcripts), Professional licensing (bar admission, CPA).

Key Benefits

Capability	Without Xid (Basic)	With Xid (Plus/Enterprise)
Presentation tracking	Same DID across all verifiers — full correlation possible	Unique DID per verifier — cross-verifier correlation impossible
Identity linkage	Persistent identifier enables dossier building over time	Epoch rotation breaks temporal linkage
eIDAS 2.0 ARF compliance	Not compliant (persistent identifiers)	Compliant (unlinkable per-context identities)
High-assurance issuance	Single-factor (password or static key)	K-of-N multi-factor (biometric + TPM + location + time)

Section 09

Developer Experience

xWallet provides comprehensive progress callbacks, field-level error attribution, and actionable guidance across 43 error codes in 11 categories. Every operation surfaces real-time progress and specific recovery paths.

Progress Callbacks

All async operations emit granular progress events, enabling real-time UI updates during credential issuance, storage, retrieval, and presentation:

W3C Verifiable Credential Issuance with Progress

import { WalletRegistry } from '@private.me/xwallet';

// Create wallet with W3C VC schema
const wallet = await WalletRegistry.createWallet({
  name: 'medical-licenses',
  schemaId: 'w3c-verifiable-credential', // Built-in W3C schema
  threshold: { k: 2, n: 3 } // 2-of-3 XorIDA split
});

// Issue credential with progress tracking
const result = await wallet.issueCredential({
  subject: 'did:key:z6MkhaXg...',
  claims: {
    '@context': ['https://www.w3.org/2018/credentials/v1'],
    type: ['VerifiableCredential', 'MedicalLicense'],
    credentialSubject: {
      id: 'did:key:z6MkhaXg...',
      licenseNumber: 'MD-123456',
      state: 'CA',
      specialty: 'Cardiology',
      issuedDate: '2024-01-15',
      expiryDate: '2027-01-15'
    }
  },
  onProgress: (event) => {
    switch (event.stage) {
      case 'validating':
        console.log(`Schema validation: ${event.percent}%`);
        break;
      case 'signing':
        console.log(`Signing credential with issuer key`);
        break;
      case 'splitting':
        console.log(`XorIDA 2-of-3 split: ${event.percent}%`);
        break;
      case 'storing':
        console.log(`Storing share ${event.current} of ${event.total}`);
        break;
      case 'complete':
        console.log(`Credential issued: ${event.credentialId}`);
        break;
    }
  }
});

// Retrieve credential with progress
const credential = await wallet.retrieveCredential({
  credentialId: result.credentialId,
  onProgress: (event) => {
    console.log(`${event.stage}: ${event.percent}%`);
    // Stages: fetching → reconstructing → verifying → complete
  }
});

// Create presentation with selective disclosure (OID4VP)
const presentation = await wallet.createPresentation({
  credentials: [credential],
  verifier: 'did:key:z6Mk...', // Hospital DID
  disclose: ['licenseNumber', 'state', 'specialty'], // Exclude expiry
  onProgress: (event) => {
    if (event.stage === 'disclosing') {
      console.log(`Disclosing ${event.current} of ${event.total} fields`);
    }
  }
});

// Result: verifiable presentation with only requested fields
presentation.verifiableCredential[0].credentialSubject
// { licenseNumber: 'MD-123456', state: 'CA', specialty: 'Cardiology' }
// expiryDate NOT included — never left the wallet

Error Codes: 43 Codes Across 11 Categories

Every error includes a machine-readable code, human-readable message, field-level attribution (18 codes), and specific recovery guidance:

Schema Errors (6 codes)

SCHEMA_NOT_FOUND, SCHEMA_VERSION_MISMATCH, SCHEMA_VALIDATION_FAILED, REQUIRED_FIELD_MISSING, INVALID_FIELD_TYPE, FIELD_OUT_OF_RANGE

Example: SCHEMA_VERSION_MISMATCH — "Credential uses schema v2.1.0, wallet expects v2.0.0. Update wallet or request credential reissuance."

Issuance Errors (5 codes)

ISSUER_SIGNATURE_INVALID, ISSUER_NOT_TRUSTED, ISSUANCE_DATE_FUTURE, CREDENTIAL_EXPIRED, SIGNING_KEY_UNAVAILABLE

Example: ISSUER_SIGNATURE_INVALID — "Issuer signature verification failed. Credential may be tampered. Request new credential from issuer."

Storage Errors (6 codes)

STORAGE_BACKEND_UNAVAILABLE, SHARE_STORAGE_FAILED, INSUFFICIENT_SHARES, SHARE_CORRUPTED, HMAC_VERIFICATION_FAILED, RECONSTRUCTION_FAILED

Example: INSUFFICIENT_SHARES — "Found 1 of 2 required shares. Recover missing share from backup or request credential reissuance."

Disclosure Errors (5 codes)

DISCLOSURE_FIELD_NOT_FOUND, DISCLOSURE_PROOF_FAILED, SELECTIVE_DISCLOSURE_UNSUPPORTED, REQUESTED_FIELD_EXCLUDED, DISCLOSURE_POLICY_VIOLATION

Example: DISCLOSURE_PROOF_FAILED — "Selective disclosure proof generation failed. Reduce disclosed fields or present full credential."

Presentation Errors (4 codes)

VERIFIER_DID_INVALID, PRESENTATION_SIGNATURE_FAILED, CREDENTIAL_REVOKED, PRESENTATION_EXPIRED

Example: CREDENTIAL_REVOKED — "Credential revoked by issuer on 2026-03-15. Request new credential from issuer."

Revocation Errors (3 codes)

REVOCATION_LIST_UNAVAILABLE, REVOCATION_STATUS_UNKNOWN, REVOCATION_CHECK_TIMEOUT

Example: REVOCATION_LIST_UNAVAILABLE — "Cannot fetch revocation list from issuer. Retry in 30 seconds or proceed without revocation check."

Threshold Errors (3 codes)

THRESHOLD_TOO_LOW, THRESHOLD_EXCEEDS_TOTAL, SHARE_INDEX_OUT_OF_RANGE

Example: THRESHOLD_TOO_LOW — "k=1 threshold provides no security. Minimum recommended: k=2 for 2-of-3."

Cryptographic Errors (4 codes)

ENCRYPTION_FAILED, DECRYPTION_FAILED, KEY_DERIVATION_FAILED, RANDOM_SOURCE_UNAVAILABLE

Example: KEY_DERIVATION_FAILED — "HKDF key derivation failed. Verify input key material is valid."

Network Errors (3 codes)

NETWORK_TIMEOUT, STORAGE_BACKEND_UNREACHABLE, ISSUER_ENDPOINT_UNAVAILABLE

Example: NETWORK_TIMEOUT — "Storage backend timeout after 5000ms. Check network connection and retry."

Audit Errors (2 codes)

AUDIT_LOG_CORRUPTED, AUDIT_CHAIN_BROKEN

Example: AUDIT_CHAIN_BROKEN — "HMAC chain broken at entry 42. Audit trail integrity compromised. Investigate tampering."

Integration Errors (2 codes)

XID_INTEGRATION_FAILED, OID4VP_PROTOCOL_ERROR

Example: OID4VP_PROTOCOL_ERROR — "OID4VP presentation request malformed. Verify verifier implements OpenID4VP 1.0 spec."

Field-Level Error Attribution (18 Codes)

When schema validation fails, errors pinpoint the exact field and violation:

Field-Level Error Example

// Invalid credential: expiryDate in the past
const result = await wallet.issueCredential({
  subject: 'did:key:z6MkhaXg...',
  claims: {
    type: ['VerifiableCredential', 'MedicalLicense'],
    credentialSubject: {
      licenseNumber: 'MD-123456',
      expiryDate: '2020-01-15' // Expired!
    }
  }
});

// Error response with field attribution
result.error
// {
//   code: 'CREDENTIAL_EXPIRED',
//   message: 'Credential expired on 2020-01-15',
//   field: 'credentialSubject.expiryDate',  // Exact field path
//   value: '2020-01-15',                     // Problematic value
//   expected: 'Date after 2026-04-06',       // Validation rule
//   recovery: 'Update expiryDate to future date or issue short-lived credential'
// }

18 field-attributable codes: REQUIRED_FIELD_MISSING, INVALID_FIELD_TYPE, FIELD_OUT_OF_RANGE, DISCLOSURE_FIELD_NOT_FOUND, REQUESTED_FIELD_EXCLUDED, ISSUANCE_DATE_FUTURE, CREDENTIAL_EXPIRED, ISSUER_SIGNATURE_INVALID, VERIFIER_DID_INVALID, SHARE_CORRUPTED, HMAC_VERIFICATION_FAILED, THRESHOLD_TOO_LOW, THRESHOLD_EXCEEDS_TOTAL, SHARE_INDEX_OUT_OF_RANGE, SCHEMA_VALIDATION_FAILED, DISCLOSURE_PROOF_FAILED, PRESENTATION_SIGNATURE_FAILED, OID4VP_PROTOCOL_ERROR.

Built-in W3C VC + OID4VP Support

xWallet includes first-class support for W3C Verifiable Credentials 1.1 and OpenID for Verifiable Presentations (OID4VP):

W3C VC 1.1 schema built-in — supports @context, type, credentialSubject, issuer, issuanceDate, expirationDate, proof
OID4VP presentation flow — automatic presentation request parsing, selective disclosure per verifier request, signed presentation response
JSON-LD context validation — verify credential contexts resolve and match schema
Proof formats — Ed25519Signature2020, JsonWebSignature2020, BbsBlsSignature2020 (selective disclosure)
Revocation methods — RevocationList2020, StatusList2021, issuer-hosted revocation endpoints

Standards Compliance

xWallet implements W3C Verifiable Credentials Data Model 1.1 (W3C Recommendation 03 March 2022) and OpenID for Verifiable Presentations (Draft 20, December 2023). All credential issuance, storage, and presentation operations conform to these specifications. Additional formats (VCDM 2.0, SD-JWT VC, mDL/ISO 18013-5) planned for future releases.

Error Recovery Patterns

Every error code includes actionable recovery guidance:

Error Code	Recovery Action	When to Retry
`INSUFFICIENT_SHARES`	Recover missing share from backup OR request credential reissuance from issuer	After backup restoration OR new credential received
`CREDENTIAL_REVOKED`	Request new credential from issuer with updated claims	After new credential issued
`SCHEMA_VERSION_MISMATCH`	Update wallet to schema v2.1.0 OR request issuer reissue with v2.0.0	After schema update OR credential reissuance
`DISCLOSURE_PROOF_FAILED`	Reduce disclosed fields (fewer attributes = simpler proof) OR present full credential	Immediate retry with fewer fields
`NETWORK_TIMEOUT`	Check network connection, verify storage backend reachable, increase timeout	After network restored (exponential backoff: 1s, 2s, 4s)
`HMAC_VERIFICATION_FAILED`	Share corrupted or tampered — discard and retrieve from backup OR request reissuance	Do NOT retry — treat as security incident
`AUDIT_CHAIN_BROKEN`	HMAC chain integrity compromised — investigate tampering, restore from backup	Do NOT retry — treat as security incident

Developer-First Design

xWallet's error handling follows fail-fast with recovery guidance philosophy. Operations never silently fail. Every error surfaces immediately with: (1) machine-readable code for programmatic handling, (2) human-readable message for logging/debugging, (3) field-level attribution when applicable, (4) specific recovery action. This pattern is consistent across all 43 error codes.

Section 10

Security Properties

xWallet inherits XorIDA's information-theoretic guarantees and adds credential-layer integrity, selective disclosure, injected signing, and HMAC-chained audit logs.

Core Guarantees

Property	Mechanism	Guarantee
Confidentiality	XorIDA k-of-n splitting	Any k-1 shares reveal zero information (information-theoretic)
Integrity (share)	HMAC-SHA256 per share	Tampered shares rejected before reconstruction
Integrity (payload)	HMAC-SHA256 over padded data	Whole-payload verification after reconstruction
Signature	Injected signing function	Issuer authenticity verified without baked-in key management
Selective Disclosure	Attribute-level reconstruction	Only requested attributes revealed; unrequested fields never leave the wallet
Audit	HMAC-chained log (SHA-256)	Tamper-evident record of every issuance, presentation, and revocation
Ephemeral Identity Support	~35µs reconstruct + ~5µs HMAC verify	Designed for <100µs reconstruct-disclose-purge pipeline

Traditional PKI vs. xWallet

Dimension	Traditional PKI Wallets	xWallet
Key Management	Wallet manages signing keys, rotation, backup	Injected signing — no key management baked in
Breach Impact	Key compromise exposes all credentials	Must compromise k-of-n independent shares
Quantum Resistance	RSA/ECDSA vulnerable to Shor's algorithm	Information-theoretic — unconditionally secure
Selective Disclosure	Requires issuer to create limited-scope credentials	Holder-side attribute-level disclosure at presentation time
Audit Trail	Varies by implementation; often absent	HMAC-chained log — tamper-evident by construction
Ephemeral Identity	Not designed for microsecond operations	~35µs reconstruct enables xID's ~50µs pipeline

HMAC Before Reconstruction

xWallet verifies the HMAC-SHA256 tag on every share before passing it to XorIDA for reconstruction. A corrupted or tampered share is rejected at the storage layer, not at the application layer. This is a hard rule — no share enters the reconstruction pipeline without passing integrity verification.

VERIFIED BY XPROVE

Verifiable Credential Handling

Every xWallet operation produces integrity artifacts that xProve can chain into a verifiable audit trail. Prove that credentials were issued, stored, and presented correctly — without revealing the credentials themselves.

XPROVE CREDENTIAL AUDIT

xWallet's per-share HMAC tags and HMAC-chained audit logs feed directly into xProve's verification pipeline. For regulated industries (healthcare, finance, government), this provides cryptographic proof of correct credential handling — not just encryption, but verifiable issuance, storage, and presentation. Upgrade to zero-knowledge proofs when auditors need public verification without credential disclosure.

Read the xProve white paper →

VERIFIABLE WITHOUT CODE EXPOSURE

Ship Proofs, Not Source

xWallet generates cryptographic proofs of correct execution without exposing proprietary algorithms. Verify integrity using zero-knowledge proofs — no source code required.

XPROVE CRYPTOGRAPHIC PROOF

Download proofs:

Tier 1 HMAC (~0.7KB)
Tier 2 Commit-Reveal (~0.5KB)
Tier 3 IT-MAC (~0.3KB)
Tier 4 KKW ZK (~0.4KB)

Verify proofs online →

Use Cases

🏛️

REGULATORY

FDA / SEC Submissions

Prove algorithm correctness for verifiable credentials without exposing trade secrets or IP.

Zero IP Exposure

🏦

FINANCIAL

Audit Without Access

External auditors verify verifiable credential storage without accessing source code or production systems.

FINRA / SOX Compliant

🛡️

DEFENSE

Classified Verification

Security clearance holders verify verifiable credentials correctness without clearance for source code.

CMMC / NIST Ready

🏢

ENTERPRISE

Procurement Due Diligence

Prove security + correctness during RFP evaluation without NDA or code escrow.

No NDA Required

Section 11

Limitations

Honest engineering requires honest documentation. Five known limitations with their mitigations.

Limitation	Impact	Mitigation
Full reconstruct before selective disclosure	The full credential must be reconstructed from shares before attribute selection can occur. The complete credential exists in volatile memory during the disclosure window.	Volatile memory only — never persisted. Immediate purge after attribute extraction. The ~60µs window minimizes exposure. Future: attribute-level splitting for per-field reconstruction.
Binary format version-locked	The deterministic binary serialization format (version 1) is fixed. Schema changes or new attribute types require a format version bump, which means all stored credentials in the old format must be migrated.	Version byte in header enables forward-compatible readers. Migration is a re-serialize-and-re-split operation, not a cryptographic change.
HMAC keys not rotatable	Each credential's HMAC key is generated at storage time and bound to the share set. Rotating the HMAC key requires retrieving, re-authenticating, and re-splitting the credential.	HMAC-SHA256 keys are 256-bit random — brute-force infeasible. Rotation is supported via re-store, but is an explicit operation, not automatic.
Append-only revocation (no compaction)	The revocation registry grows monotonically. Each revocation adds an entry; revocations are never removed. Over time, the registry grows linearly with the number of revocations.	HMAC-chained append-only is a deliberate design choice for tamper-evidence. Compaction would break the chain. Practical limit: millions of entries before performance impact.
9 built-in schemas not exhaustive	The nine built-in schemas (government-id, drivers-license, passport, diploma, health-certificate, vaccination-record, professional-license, financial-kyc, insurance-policy) do not cover every domain.	`createSchema` and `registerSchema` enable custom schemas with arbitrary attributes. Built-in schemas are convenience, not constraint.

Section 12

Enterprise CLI

@private.me/xwallet-cli is a self-hosted credential management server — Docker-ready, air-gapped capable, with three-role RBAC and append-only audit logging.

13

REST endpoints

3

RBAC roles

~70

Enterprise tests

4600

Default port

Endpoints

Method	Path	Permission	Description
GET	/health	—	Health check
POST	/schemas	schema:create	Register a credential schema
GET	/schemas	schema:list	List all schemas
GET	/schemas/:id	schema:get	Get schema by ID
GET	/schemas/builtin	schema:get	List built-in schema IDs
POST	/credentials	credential:issue	Issue credential (metadata only)
GET	/credentials	credential:list	List credential metadata
GET	/credentials/:id	credential:get	Get credential metadata
POST	/credentials/:id/verify	credential:verify	Verify credential status
POST	/revocations	revocation:revoke	Revoke a credential
GET	/revocations/:credId	revocation:check	Check revocation status
GET	/revocations	revocation:list	List all revocations
GET	/audit	audit:read	Audit log entries

RBAC Roles

Admin — full access: create schemas, issue/verify/revoke credentials, manage API keys, read audit logs.
Operator — create schemas, issue/verify/list credentials, check revocations.
Auditor — read-only: schemas, credentials, revocations, audit logs.

METADATA ONLY

The server stores credential metadata only. Actual credential data lives in XorIDA shares client-side. No plaintext credentials ever touch the server.

Docker Deployment

docker build -t xwallet-cli -f packages/xwallet-cli/Dockerfile .
docker run -d --name xwallet -p 4600:4600 \
  -v xwallet-data:/data \
  -e XWALLET_ADMIN_KEY=your-secret-key \
  xwallet-cli

Section 13

Get Started

Install xWallet, register a schema, and issue your first verifiable credential in minutes.

Install

npm install @private.me/xwallet

Quick Start

import {
  issueCredential,
  storeCredential,
  retrieveCredential,
  createPresentation,
  verifyPresentation,
  getBuiltInSchemas,
} from '@private.me/xwallet';

// List available schemas
const schemas = getBuiltInSchemas();
// → government-id, drivers-license, passport, diploma, ...

// Issue a credential
const { value: credential } = await issueCredential({
  schemaId: 'diploma',
  issuerDid: universityDid,
  subjectDid: studentDid,
  attributes: {
    degree: 'B.Sc. Computer Science',
    institution: 'MIT',
    graduationDate: '2025-06-01',
    gpa: 3.92,
  },
  signingFn: universitySignFn,
});

// Store — XorIDA-split into k-of-n shares
const { value: handle } = await storeCredential(credential);

// Retrieve — HMAC-verified, reconstructed (~60µs)
const { value: restored } = await retrieveCredential(handle);

// Present — selective disclosure (degree + institution only)
const { value: presentation } = await createPresentation({
  credential: restored,
  request: { attributes: ['degree', 'institution'] },
  signingFn: studentSignFn,
});

// Verify — employer checks presentation
const { value: verified } = await verifyPresentation(
  presentation,
  universityVerifyFn,
);
// verified.attributes → { degree, institution }
// gpa and graduationDate are NEVER disclosed

Full ACI documentation, schema reference, and integration guides are available in the ACI catalog.

GET STARTED

Ready to deploy xWallet?

Talk to Sol, our AI platform engineer, or book a live demo with our team.

Book a Demo