8Z-Auth:
Software Unclonable Functions
A novel authentication protocol where the algorithm itself is the identity — with DCC-governed adaptive challenge-response and competing proof generators
What Is 8Z-Auth?
8Z-Auth is an authentication protocol that introduces three novel concepts to the security landscape:
Software Unclonable Functions (SUFs) — the software equivalent of hardware Physical Unclonable Functions (PUFs). Where PUFs use silicon manufacturing variation as identity, SUFs use the specific implementation decisions of a codebase — PRNG constants, serialization formats, hash chain structures — as an unclonable fingerprint.
Competing proof generators — multiple algorithmic generators (XorShift chain, compression output, TSP tour hash) compete under MDL selection to produce the proof. Only someone with ALL generators can respond to any challenge.
DCC-governed adaptive difficulty — the protocol's internal state evolves deterministically based on authentication history. Successful use increases coupling (faster next time). Failures decrease coupling (harder next time). Not ML-based — deterministic and protocol-internal.
Your code is your fingerprint. The algorithm itself is the key.
The Problem
Standard authentication uses one of three factors: something you know (password), something you have (device/token), or something you are (biometrics). All use generic, published algorithms — AES, SHA, ECDSA — shared by millions. Your 2FA app uses the same HMAC-SHA1 as everyone else's.
For personal security — protecting tools, files, or applications that only you use — this is over-engineered in some ways (server infrastructure, key management) and under-engineered in others (the algorithm provides zero identity signal).
Kerckhoffs's Blind Spot
Kerckhoffs's Principle (1883) states: a cryptographic system should be secure even if the attacker knows everything about the system except the key. This is correct — for algorithms used by billions. SHA-256's security doesn't depend on the algorithm being secret.
Kerckhoffs's is a population-level rule. At N=1 — where the algorithm exists on one machine, shaped by one mind over decades — the algorithm IS the secret. The search space isn't a key space. It's the space of all possible algorithm implementations. Nobody in security questions this because Kerckhoffs's is axiomatic — the first thing they learn.
8Z-Auth asks: where's the evidence this applies when N=1?
The Core Insight
Authentication IS Compression
"Prove you're Bojan" is equivalent to "produce the shortest program that generates the correct response to this challenge." That's the Minimum Description Length principle — identity as the minimum description that reproduces the data.
Your 8Z code IS the minimum description of "you" in authentication context. Nobody else can compress the challenge into the correct response because nobody else has the generator.
Software Unclonable Functions
Hardware PUFs exploit manufacturing variation — each chip is unique because you can't perfectly control the fabrication process. Over 1 billion PUF-secured devices are deployed worldwide.
Software PUFs exploit implementation variation — the specific decisions a programmer made. Your XorShift64Star uses constants (12, 25, 27) and multiplier (2685821657736338717). Your params_to_bytes uses a specific length-prefixed sorted-key serialization. Your derive_seed_u64 chains SHA3-256 of concatenated domains. Nobody else on Earth has this exact pipeline.
Traditional auth uses: something you know, something you have, something you are.
8Z-Auth adds: something you built. Your algorithmic pipeline is a fourth authentication factor — not a key, not a device, not a biometric, but an implementation fingerprint.
The Protocol
Three Layers
A strong passphrase that seeds the key derivation. Standard factor. 20+ characters of something only you'd know.
The 8Z transformation pipeline: params_to_bytes() → derive_seed_u64() → XorShift64Star → DCCSMeter. The specific constants, byte layouts, hash chains, and iteration logic. This is your algorithmic fingerprint.
After each successful auth, coupling u increases (exploit — faster). After failures or long gaps, u decreases (explore — harder). The PBKDF2 iteration count becomes 100000 + round((1-u) × 500000). You barely notice. An attacker is progressively throttled.
8Z Primitives Used
All four primitives already exist in the 8Z codebase — no new crypto invented:
| Primitive | Role in 8Z-Auth | Origin |
|---|---|---|
| params_to_bytes() | Deterministic serialization — the "dialect" | 8Z-RP TSP Solver |
| derive_seed_u64() | Three-input seed derivation via SHA3-256 | 8Z-RP TSP Solver |
| XorShift64Star | PRNG with specific bit-shift constants | 8Z-RP TSP Solver |
| DCCSMeter | Adaptive coupling controller for difficulty | Digital Claustrum (1995 → 2024) |
Protocol Flow
CHALLENGE: nonce N = SHA3(date_YYYYMMDD + blob_header_salt)
DERIVE: seed = derive_seed_u64(SHA3(passphrase), "8Z_AUTH",
params_to_bytes({"nonce": N, "day": YYYYMMDD}))
ITERATE: rng = XorShift64Star(seed)
run rng.next_u64() exactly K times
where K = 64 + (day_of_month × 7) × DCC_factor(u)
RESPONSE: key_material = SHA3(rng.state as 8 bytes)
DECRYPT: AES-256-GCM(blob, PBKDF2(key_material, salt, iterations))
The response is used as decryption key material, not compared against a stored hash. Wrong response → garbage bytes → nothing renders. No oracle, no feedback, no "try again" message. Just silence or success.
Architecture
Five Walls of Defense
Three obscurity walls (weak individually, strong in combination — all three must fail simultaneously) plus two mathematically hard walls. An attacker who defeats obscurity still faces AES-256-GCM encryption plus a custom algorithmic pipeline they can't replicate.
Three Components
bd_vault_encrypt.py your machine only
Takes HTML trader + passphrase. Generates daily challenge seed from date. Derives AES key from 8Z pipeline. Outputs encrypted blob with unencrypted header (challenge display data only — never the answer).
Encrypted Blob protected payload
Looks like random bytes. Anyone can download it. Useless without the decoder AND the passphrase AND the correct algorithmic pipeline.
bd_vault_decoder.html operator access point
You open it. Enter the required input. It fetches the protected payload, shows challenge material, derives the key through the 8Z pipeline, and attempts AES decryption. Success → trader renders in iframe. Failure → nothing.
Operational separation is left to the operator. Public-facing material should describe the access experience, not expose implementation-sensitive routing or hosting details.
User Experience
Daily Use
Step 1: Open decoder page (bookmark, local file, whatever)
Step 2: Blob URL auto-remembered, or paste it
Step 3: Type your passphrase
Step 4: Your trader appears. Trade.
Total time added: ~5 seconds.
If the passphrase is wrong: the iframe shows nothing. No error message. No "incorrect password." No feedback whatsoever. Just an empty frame. This is deliberate — no oracle for an attacker to probe.
DCC Adaptive Layer
The decoder maintains a small local counter (or derives state from usage patterns):
| Scenario | Coupling u | PBKDF2 Iterations | Effect |
|---|---|---|---|
| 10 days daily use | u → 0.9 | ~150K | Fast unlock (<1s) |
| Normal daily use | u = 0.5 | ~350K | Standard (~2s) |
| 1 week gap | u → 0.2 | ~500K | Slightly slower (~4s) |
| Multiple wrong attempts | u → 0.0 | ~600K | Slow (~6s) — brute-force wall |
You'd never notice the difference between 1s and 2s. An attacker trying thousands of passphrases faces exponentially increasing computation per attempt.
Competing Generators (Optional Layer)
Instead of always using the same key derivation, the challenge rotates through generator types based on day_of_year % num_generators:
Generator A: XorShift64Star chain (K iterations of PRNG)
Generator B: Compressed size of a specific byte sequence via 8Z codec logic
Generator C: Tour hash of a mini-TSP instance (10 cities, your solver)
Your decoder has all generators. An attacker who reverse-engineers one still can't handle the others. This is MDL selection applied to proof generation — which generator produces the "shortest proof" for today's parameters.
Software PUF Factory
From Personal Tool to Universal Product
8Z-Auth works for one person. But what if anyone could have their own?
A Software PUF Factory is a program that generates unique encoder/decoder pairs by randomizing the algorithm internals. The architecture is public (like a PUF chip design). Each instance is unique (like each manufactured chip). The generation seed is used once and discarded — exactly like manufacturing variation.
You run the factory program. It picks random:
• XorShift constants (bit-shift amounts, multiplier)
• params_to_bytes field ordering and type markers
• Hash chain depth and intermediate mixing steps
• DCC threshold values and iteration formula
• Generator selection schedule
It outputs two files: my_vault_encrypt + my_vault_decrypt.html. The factory program can be open source. Kerckhoffs's Principle is satisfied at the population level (everyone knows the architecture), but each instance is unclonable because the specific random choices are used once during generation and never stored.
Hardware PUF: Public chip design + unique manufacturing variation = unclonable identity
Software PUF Factory: Public factory program + unique random generation seed = unclonable instance
Both satisfy Kerckhoffs's at the population level while providing per-instance uniqueness.
Prior Art & Novelty
Extensive research across NIST standards, RFCs (RFC 6287 OCRA, RFC 1994 CHAP), academic papers, security forums, and open-source projects (March 2026):
| Existing Concept | What It Does | What 8Z-Auth Adds |
|---|---|---|
| Challenge-Response | Standard crypto (HMAC-SHA1) with shared secrets | Custom algorithmic pipeline as identity factor |
| Hardware PUFs | Manufacturing variation as unclonable identity | Implementation variation as unclonable identity (Software PUF) |
| Proof of Work | Computational puzzles as access gates | Computation as identity (not just cost) |
| Adaptive MFA | ML risk scoring adjusts auth requirements | Deterministic DCC governance (protocol-internal, not ML) |
| SyncSeed (GitHub) | PRNG-based C-R with seed mutation | Competing generators + MDL selection + DCC adaptation |
| Password-based Encryption | Derive key from password | Key derived from password + custom algorithmic pipeline + time |
Software Unclonable Functions — nobody has proposed this concept
Competing proof generators under adaptive governance — no prior art
Authentication as compression (MDL identity) — no prior formulation
DCC-governed adaptive difficulty in auth protocols — no prior art
The intersection of PUF + challenge-response + proof-of-work + MDL identity + DCC governance is unoccupied.
Roadmap
bd_vault_encrypt.py (Python) + bd_vault_decoder.html (JS). AES-256-GCM + PBKDF2 + passphrase. No DCC, no competing generators. Just works.
Add adaptive difficulty. Decoder tracks auth history locally. PBKDF2 iterations scale with coupling u. Progressive brute-force resistance.
Multiple proof generators rotating by date. XorShift chain + compression output + mini-TSP. MDL selects which generator proves identity today.
Open-source factory program. Anyone generates their own unique encoder/decoder pair. Publishable paper: "8Z-Auth: Software Unclonable Functions with DCC-Governed Adaptive Challenge-Response."
Every domain is the same problem. Authentication is just compression wearing a different hat.
Part of the 8Z Research Framework — MDL • DCC • Competing Generators