Cryptographic Identity Infrastructure

Security is a Physics Problem.
Not a Trust Problem.

Identity Layer removes the credential database from your threat surface. Device-bound keys, split-knowledge key derivation, audit without content custody. No stored secrets. No breach liability. No central repository.

Ed25519 auth AES-256-GCM HKDF derivation No identity storage Offline analog vault TEE / Secure Enclave Drop-in integration 225 KB full stack IoT / NFC / Mobile / Desktop
IDENTITY STANDARD DEVICE KEY ANALOG VAULT APP LAYER VERIF- IER Ed25519 AES-256 HKDF AUDIT
€1.09B GDPR fines 2023 DLA Piper GDPR Survey 2024
83% Breaches involve credentials Verizon DBIR 2023
<1d Typical integration time Identity Middleware by design
140+ Active identities in production Eight reference deployments

Credential storage is the breach target

Every major breach of the last decade traces back to a centralised credential database. The architecture we deploy eliminates that surface by design.

€1.09B

Total GDPR fines issued across the EU in 2023. The majority trace to inadequate data protection and credential exposure.

DLA Piper GDPR Fines Survey 2024
83%

Of data breaches involve compromised, weak, or reused credentials stored in centralised systems.

Verizon DBIR 2023
$4.45M

Average cost of a data breach in 2023. Identity-related incidents consistently rank among the most expensive categories.

IBM Cost of a Data Breach 2023
287d

Average time to identify and contain a breach. Centralised credential stores extend both detection and containment windows.

IBM / Ponemon Institute 2023

A credential database that does not exist cannot be stolen. Identity Layer reduces operational costs, breach surface, and liability by eliminating centralised credential management at the infrastructure level. Compliance with GDPR Article 25, eIDAS 2.0, MiFID II, and NIS2 becomes architectural, not a policy layer applied over an insecure foundation.

GDPR Art. 25 eIDAS 2.0 MiFID II NIS2

A layered infrastructure, not a product

Identity Layer is the baseline architecture of the Identity infrastructure suite. Each layer is independently licensable and integrates with minimal surface by design. The complete server-side stack is 225 KB.

Foundation
Identity Layer
Baseline identity infrastructure layer. Ed25519 challenge/response, device-bound keys, stateless authentication, no credential database. The trust primitive is uniform across execution contexts: mobile, desktop, IoT, NFC.
Contextual isolation
Identity High Security (Identity HS)
Cryptographic isolation per product, instance, or environment. Separate key hierarchies and elevated trust boundaries for regulated or high-sensitivity deployments.
Integration
Identity Middleware
Application-layer integration surface, minimal by design. Your product remains your product. The middleware removes the credential liability surface without restructuring your stack. A 5 KB bridge drops into existing endpoints. A router sits in front of your API. Integration typically completes within a working day.
Production evidence
Reference Deployments
Five production deployments across distinct verticals. Cleared on Google Play and the Microsoft Store. Over 100 active identities in operation.
Vertical products
Mujo / Parta Labels / Parta Research / RENTRI / Flow
Production applications built on the Identity infrastructure. They are proof of the architecture. They are not the product being licensed.
Split-knowledge key derivation
The full key never exists at rest. Device fragment and server fragment recombine in volatile memory only. A breach yields partial material with no utility.
Device-bound identity
Private keys generated and stored on-device, non-exportable. Tied to Secure Enclave or TEE when available. Identity cannot be migrated without controlled re-enrollment.
Offline analog vault
Printable QR master key enables recovery without cloud escrow or identity databases. Operates in air-gapped environments. Carrier-agnostic: QR, PDF, printed artifact.
Forward-only audit
Audit capabilities operate on metadata under controlled legal activation. Message content and identity remain structurally unavailable, not administratively withheld.
Encrypted portable payloads
AES-256-GCM encrypted payloads readable only by a verified identity. DEK protected by a KEK derived from the identity relationship. Carrier circulates without revealing content.
IoT physical integration
The same challenge/response trust primitive extends to ESP32, RP2040, and NTAG424 DNA NFC badges with onboard AES-128 and non-exportable keys.
GDPR
Privacy-by-architecture. No personal data storage.
eIDAS 2.0
Infrastructure independence and jurisdictional control by design.
MiFID II
Audit without content disclosure. Verifiable metadata only.
NIS2
Eliminates centralised breach surface. Reduces notification exposure.

Not a prototype. Not a Proof of Concept.

Identity Layer is in production across multiple verticals, cleared on Google Play and the Microsoft Store.

Component Before After
Credential database Present Reduced
Password storage Required Reduced
API key management Required Reduced
Credential reset flow Required Reduced
Session secret store Required Reduced
Centralised breach surface Present Eliminated
MJ
Mujo
Encrypted messaging protocol
Device-bound identity for anonymous pairing. No accounts, no phone numbers. Identity lives only on the device. Ephemeral messaging with P2P signaling. 35 active profiles.
PL
Parta Labels
AES-256 encrypted QR label system
Split-knowledge derivation. Master key never leaves the device. Applicable to inventory, chain-of-custody, and document workflows. 39 active keys.
PR
Parta Research
Academic collaboration network
Authenticated researcher network without credential exposure. Identity Standard-based social graph. Open beta, Android. 65 active identities.
ER
Ecosystem RENTRI
Compliance SaaS - Windows
Italian waste management compliance platform. Identity Layer authenticates operators and field devices. Regulated-environment deployment at institutional scale. 4 Identity HS deployments.
EC
Ecosystem Companion
Field operator app - Android
Mobile companion for field operators. Device-bound identity for secure field authentication. Cross-platform identity continuity with the RENTRI Windows SaaS.
µP
Identity IoT
Physical nodes / sensor network / NFC access
The Identity layer extends to physical nodes. Supported sensor types: temperature, humidity, pressure, PIR motion, GPS, energy metering. NFC access control via NTAG424 DNA with onboard AES-128, non-exportable keys, dynamic CMAC. Raspberry Pi Pico 2W reference deployment operational. Boot to verified identity in 6.5 seconds.
IT
Identity Tag
NFC badge access control - multi-tenant
NTAG424 DNA badge access control layer built on Identity IoT infrastructure. Ed25519 challenge/response per badge read. Multi-tenant: each tenant manages its own node fleet and badge registry independently. Two binding modes: STD (authorised terminal fleet) and HS (badge cryptographically bound to a specific terminal via its public key). Flutter manager app for badge provisioning, node configuration, and entitlement control.
PT
Parta Tag
NFC badge manager - Android
Flutter app for provisioning and managing NTAG424 DNA badges. Write badge payloads, configure STD and HS binding modes, manage node fleets and entitlements. Multi-tenant interface for Identity Tag deployments.
PI
Parta IoT
IoT node manager - Android
Flutter app for provisioning and monitoring Identity IoT nodes. Configure node identity, sensor type, tenant assignment, and connectivity parameters. Live reading dashboard per node.
140+
Active identities
700++
Challenges verified
Eight reference deployments
▶ Google Play - cleared ◆ Microsoft Store - cleared
Live node • Identity IoT
Temp
--  °C
-- --
--
End-to-end verification latency
--
Challenge
--
Verify
Live node • Identity ST
Identities
--
Challenges
--
-- 0
--
Verified challenges
--
--

Three tiers. One architecture.

We license the Identity infrastructure layer to products that need cryptographic identity without becoming custodians of credential secrets.

Tier A
Integration Licensing
Embed Identity Layer into your existing product. Keep your stack, your UX, your infrastructure. Remove the credential liability surface.
  • No credential database left to breach
  • Drop-in middleware, no application rebuild
  • Self-hosted or managed deployment
  • Full technical documentation and integration support
  • Live in under a day on existing production stacks
Tier C
Vertical Turnkey
Full delivery for regulated environments, including configuration, compliance documentation, and operational handover.
  • Healthcare: instant role-correct access, audited break-glass
  • Regulated finance: stolen devices can't impersonate customers
  • Legal & M&A: encrypted exchange neither provider can read
  • Physical access: badges and door systems that can't be cloned
  • Connected devices: field equipment that proves its own identity
Pricing is structured by deployment scope and jurisdiction. Available on request following NDA.
Not an IAM replacement: the missing cryptographic foundation
Not a KYC provider: enables verifiable flows without custody
Not a messaging app: encrypted portable payloads (QR / PDF)
Not blockchain / SSI: device-bound, no distributed ledger required
Request Architecture Brief: licensing@aeonianengineering.com

Licensing and technical inquiry

Commercial licensing inquiries are handled by AEL (Hong Kong). Technical documentation is available on request from WIDE (Italy).

Commercial licensing - APAC & worldwide
ae Aeonian Engineering Limited
Hong Kong - Exclusive worldwide licensee
licensing@aeonianengineering.com

Architecture Brief, NDA, Technical Deep Dive, and Term Sheet are available on request. The document flow is sequential and structured by engagement stage.

Technical documentation - Europe
WIDE di D. Papa
Naples, Italy - IP rights holder and EU backing, since 1999
licensing@simwide.com

IP documentation, architecture references, and European licensing inquiries. Technical integration requests: d.papa@simwide.com.