Skip to main content

Access Does Not Equal Transfer

T3N’s security and privacy model is built on a three-network architectureSecure Computation (TEE) Network, Storage Network, and Blockchain Network — that ensures access to private data never implies data transfer. By combining hardware-enforced isolation, advanced cryptography, and fine-grained user-controlled permissions, T3N enables computation on private data without exposing or moving the underlying data itself.

Trusted Execution Environments (TEEs)

T3N leverages TEEs to ensure that private data is processed exclusively inside hardware-backed secure enclaves and is never exposed to the host operating system, node operators, or AI agents requesting execution. Key properties include:
  • Isolation: All computations run within encrypted memory enclaves, preventing access from the host OS, hypervisor, or other software on the same machine.
  • Attestation: TEE nodes must present cryptographic proofs that they are running approved, unmodified software before they are authorized to receive data encryption keys.
  • Resilience: The TEE Network operates as a distributed cluster, providing redundancy and high availability even in the presence of individual node failures.
T3N TEE Network currently utilizes Intel TDX (Trust Domain Extensions) to run Secure Encrypted Virtual Machines. Future versions will support other TEEs.

Cryptographic Standards

T3N employs privacy-enhancing technologies (PETs) to secure data at rest, in transit, and in use.

Post-Quantum Threshold Cryptography (ML-KEM)

All private data is encrypted using post-quantum threshold encryption, providing strong confidentiality even under partial compromise. This approach has the following properties:
  • Quantum-Resistant Key Distribution: Decryption key material is split into multiple shares using ML-KEM and distributed across independent TEE nodes.
  • Threshold Security: Only when at least t nodes out of n (e.g., t = 3, n = 5) collaborate can encrypted data be unlocked.
  • Fault and Compromise Tolerance: There is no single point of failure; compromising fewer than t nodes yields no access to plaintext data.
T3N implements threshold encryption using ML-KEM (Module-Lattice-Based Key-Encapsulation Mechanism), a post-quantum cryptographic standard approved by NIST (FIPS 203).

Zero-Knowledge Transport Layer Security (zkTLS)

T3N utilizes zkTLS to enable secure, verifiable ingestion of data from external web sources. This allows users or AI agents to consume cryptographically authenticated data from legacy Web2 APIs, while preserving user privacy through zero-knowledge–based selective disclosure.
  • Data Authenticity: zkTLS provides cryptographic proof that data was retrieved from a specific TLS-secured origin, without requiring the external service to support T3N or modify its infrastructure.
  • Selective Disclosure: Users can generate zero-knowledge proofs over specific properties or fields of a web response, revealing only the minimum information required while proving data correctness.
  • Privacy-Preserving Ingestion: The TEE Network can verify external state (e.g., financial or identity data) without accessing user credentials, session cookies, or raw authentication material.
zkTLS verifies the authenticity of the TLS session and response, but does not assert the correctness of the data as defined by the source itself.

User Control & Identity

T3N empowers users with sovereignty over their digital identity through decentralized standards.

Decentralized Identifiers (DIDs)

Users are identified by did:t3n:<unique-id>. This links to public keys and service endpoints on-chain without relying on a central identity provider.

Smart Verifiable Credentials (SVCs)

T3N extends traditional, static verifiable credential (VC) standards by making them dynamic and refreshable, featuring just-in-time claim verification. This is particularly useful for claims that are based on underlying data that changes often, such as accredited investor checks.
  • Compatible with major global VC standards, such as W3C VC Data Model, IETF SD-JWT VC, ISO mDL, and OID4VC.
  • VCs are encrypted, and VC claims can be verified without exposing underlying data.
  • Selective disclosure of data in several ways:
    • Allowing users to choose which data fields to share;
    • Obfuscating specific data within a field; or
    • Allowing users to prove that a specific attribute in a VC meets a certain condition, without revealing the actual value of that attribute.

Data Tokens

A data token is a user-signed authorization token that grants a specific party permission to access selectively disclosed user data under well-defined constraints. Each token encodes scope, usage limits, and validity, and is non-transferable by design. Tokens may be issued for single-use or repeated use, depending on the user’s intent. Data tokens can be pre-configured by data owners, enabling seamless automation when interacting with AI agents—without requiring repeated manual approvals or exposing raw data. T3N supports two formats for data tokens, depending on the required trust model and duration:
  • On-Chain Tokens: Used for long-lived or standing delegations recorded on the blockchain (e.g., “Agent A may access my travel data indefinitely”).
  • Off-Chain Tokens (e.g., JWTs): Used for short-lived, narrowly scoped access grants (e.g., “Read-only access to travel data for 24 hours”).