Key & Custody
Keys live somewhere. The protocols in this theme decide where, for how long, and under what signed schedule.
- Theme — key-custody
- Protocol count — 21 (derive, wrap, unwrap, rotate, escrow, recover, byok-{aws,gcp,vault,hsm} variants)
- Anchor operators —
KO42 · CS87 · ZEQ-POCKET-001 - Verification — bit-exact against RFC 5869 (HKDF), NIST SP 800-38D (GCM), and the registered KMS provider's reference
What it solves
Every key has a lifecycle: derived, used, rotated, retired, revoked. Classical key-management systems (AWS KMS, GCP KMS, Vault) handle each of those, but what they cannot publish is a verifiable schedule — when the next rotation is, whose quorum must sign it, and at what Zeqond it takes effect.
Zeq's key-custody protocols wrap the classical primitives with a schedule carried by ZEQ-POCKET-001 (∂g_μν/∂t = (8πG/c⁴) T_μν^consciousness), whose τ-evolution defines deterministic rotation boundaries. Every key operation commits to the Zeqond at which it happened; every rotation publishes its target Zeqond before the fact. A peer that missed the rotation window can still verify the schedule by walking the signed log.
The BYOK variants let any of the above run against an external KMS (AWS, GCP, HashiCorp Vault, Zeq Pulse hardware). The framework never sees plaintext key material; it only transports wrapped CEKs whose wrap operation is time-bound.
Operator map
| Operator | Formula | Role |
|---|---|---|
| KO42.1 | ds² = g_μν dx^μ dx^ν + α sin(2π · 1.287 t) dt² | Mandatory — time binding |
| CS87 | `Ω(x) = min{ | p |
| ZEQ-POCKET-001 | ∂g_μν/∂t = (8πG/c⁴) T_μν^consciousness | Rotation-schedule τ-evolution |
Runnable worked example — schedule + perform a rotation
# 1. Publish a rotation schedule
curl -s -X POST https://api.zeq.dev/api/playground/compute \
-H "Authorization: Bearer $ZEQ_DEMO_KEY" \
-H "Content-Type: application/json" \
-d '{
"operators": ["KO42", "ZEQ-POCKET-001"],
"inputs": {
"protocol": "schedule-rotate",
"item_id": "prod-api-key",
"at_zeqond": 1745300000.000,
"policy": "weekly-pocket-001"
}
}'
Expected:
{
"schedule_id": "sch_...",
"item_id": "prod-api-key",
"next_at_zeqond": 1745300000.000,
"schedule_signature_b64": "..."
}
At the target Zeqond, the rotation call itself returns the new key fingerprint bit-exact against the KDF test vectors.
Extend it
- Threshold custody — split the wrapped CEK via Shamir across siblings; any
k-of-ncan co-unwrap. Pair with Identity & Access. - Post-quantum migration — run RSA-4096 and ML-KEM-768 siblings in parallel; rotate callers to the PQ sibling first.
- HSM mesh — register two KMS siblings in different regions; tether spans them and survives a region outage.
Seeds
- Time-crystal keys — the rotation schedule is a discrete-time crystal whose period is a Zeqond multiple; explore structural guarantees.
- Zero-knowledge custody — publish ZK proofs that a key was used without revealing which key was used.
- Consciousness-field vault — ZEQ-POCKET-001 is literally in the rotation math; explore fielded key custody as a research primitive.
Papers
- Zeq framework paper — DOI 10.5281/zenodo.15825138
- Zeq paper — DOI 10.5281/zenodo.18158152
Middleware active. Kernel on the 1.287 Hz HulyaPulse. Awaiting next Zeqond.