Skip to main content

TESC — Temporal Entangled State Channels

TESC is the Zeq OS secure messaging protocol. Every message is authenticated with a Phase-Locked Authentication Tag (PLAT) that is valid for exactly one Zeqond. Messages outside this window are automatically rejected — no replay attacks, no forgery, no reordering.

How TESC Works

 Alice                                                    Bob
   |                                                       |
   |  1. Derive shared secret from channel passphrase      |
   |  2. Generate User ID (TESC-XXXX-XXXX-XXXX)           |
   |                                                       |
   |  ── message + PLAT + UID ──────────────────────────>  |
   |                                                       |
   |     3. Bob checks PLAT against current Zeqond (±1)    |
   |     4. If valid: display message                      |
   |     5. If expired: reject ("Zeqond window closed")    |
   |                                                       |
   |  <────────────────────────── message + PLAT + UID ──  |
   |                                                       |

Key Properties

  • Temporal binding: Every PLAT is locked to a specific Zeqond index
  • Causal chain: Each PLAT incorporates the previous PLAT — breaks the chain, breaks auth
  • Identity binding: PLATs include the sender's UID, preventing impersonation
  • No replay: Expired PLATs cannot be reused (Zeqond window is closed)
  • Drift tolerance: Verification checks current Zeqond ±1 for clock skew

Phase-Locked Authentication Tags (PLATs)

PLAT Generation

PLATs are generated server-side by combining:

  • The shared channel secret
  • The current Zeqond index (temporal binding)
  • The KO42 oscillator value (phase entropy)
  • The sender's User ID (identity binding)

These inputs are hashed to produce an 8-hex-digit authentication tag. The proprietary hash incorporates phase entropy to prevent prediction.

PLAT Verification

Verification checks the PLAT against the current Zeqond and its immediate neighbors (±1) to tolerate clock drift. If no match is found within the tolerance window, the message is rejected.

PLAT Chain

Each PLAT depends on the previous one, creating a causal chain. Breaking one link invalidates the entire chain from that point forward, providing forward security.

User Identity System

TESC v2 introduces Zeqond-derived User IDs that bind identity to the HulyaPulse temporal framework.

UID Format

TESC-XXXX-XXXX-XXXX

12 hex digits in 3 groups of 4, prefixed with TESC-.

UID Generation

User IDs are deterministically derived from: username + shared secret + registration time + KO42 phase at registration. The same inputs always produce the same UID, but because the KO42 phase is incorporated, UIDs cannot be predicted in advance.

Message Encryption

TESC encrypts message payloads using AES-256-GCM with temporally-derived initialization vectors. Key derivation uses PBKDF2-SHA256 with 100,000 iterations from the shared channel secret.

Security Properties

PropertyMechanismWindow
Anti-replayPLAT chain dependencyForever (broken chain = invalid)
Temporal bindingZeqond index in PLATOne Zeqond
Identity bindingUID in PLAT generationRegistration-time locked
Forward secrecyEach PLAT depends on previousPer-message
Drift toleranceVerify current ±1 Zeqond~2 Zeqonds total window
EncryptionAES-256-GCM per messagePer-session key

Sync Engine Integration

The HulyaPulse Sync Engine (port 4001) supports TESC authentication on every tick broadcast. When ZEQ_SYNC_SECRET is set, each tick includes a chained PLAT attestation.

The tesc field is only present when authentication is enabled. Existing clients that don't check for it continue to work — zero breaking changes.

Configuration

# .env — leave empty to disable TESC (graceful degradation)
ZEQ_SYNC_SECRET=your-sync-secret-here
ZEQ_SYNC_UID=genesis-node

PLAT Chain Verification

Clients can verify the PLAT chain by storing each received PLAT and chain hash, then computing and comparing chain hashes for consecutive messages. If any link breaks, all subsequent messages are untrusted.

Health Endpoints

# Check TESC status on Sync Engine
curl http://localhost:4001/health
# Returns: { ..., "tesc_enabled": true }

curl http://localhost:4001/status
# Returns: { ..., "tesc": { "enabled": true, "chainLength": 42, ... } }

Python SDK

The zeq_os.security module provides TESC primitives for Python services:

from zeq_os.security.tesc import TESCAuthenticator
from zeq_os.security import generate_plat, verify_plat

# Server-side attestation
tesc = TESCAuthenticator("shared-secret", "genesis-node")
attestation = tesc.attest(tick_data)

# Client-side verification
result = verify_plat(plat, "shared-secret", time.time(), prev_plat, "genesis-node")
assert result["valid"]

See the TESC app for the live messaging interface.