Modern cryptography still relies on memory elements that persist—electrically stable nodes that remain readable long after software thinks a secret is gone. This architectural assumption underlies a vast ecosystem of attacks: speculative-execution leaks, DMA snooping, cold-boot remanence, fault injection, microarchitectural sampling, and more. Ephemeral secrets in post-quantum cryptography (PQC)—especially large decapsulation keys—are among the most vulnerable.
My new preprint, A CMOS Electrical Non-Persistence Primitive for Single-Use Secrets, introduces a radically different model: Electrical Non-Persistence with Predicate, or ENP-P™. This is the circuit-level technology behind what I call “read-once memory” or ROOM—a primitive that enforces deterministic single-use semantics in hardware.
Why ENP-P™ Exists
A secret stored in SRAM or a flip-flop is electrically stable. Even after a “zeroization” write, it remains observable for part of a cycle, or through residual charge, speculative probing, debugging fabric, or bus reorderings. Software wrappers help but can’t eliminate the fundamental issue: the memory cell wants to persist.
ENP-P™ starts from the opposite premise:
The safest secret is one that is disclosed exactly once and then physically ceases to exist.
ENP-P™ formalizes a simple but overlooked requirement:
A read must be simultaneously a measurement and an irreversible collapse.
This collapse is not a synchronous reset. It is a physical grounding event at the storage node—an immediate electrical transition that cannot be delayed, reordered, speculated, or replayed by any microarchitectural feature.
What ENP-P™ Actually Does
At the circuit level, ENP-P™ implements three rules:
- Predicate-gated visibility:
The stored secret is masked internally (e.g., XOR’d per word with an 8-bit basis).
Only if the caller supplies the correct basis in the same cycle as the measurement does the cell reveal the true 256-bit value. - Deterministic, atomic collapse:
A read triggers a forced electrical collapse—grounding the internal node and destroying all stored charge, independent of the system clock.
After collapse, the cell is inert and cannot return a second valid output. - No post-use electrical persistence:
After collapse, no probe—software or physical—can extract the former value, because the former value no longer exists anywhere in RAM, buffers, or the cell’s transistors.
This gives you two powerful security invariants:
- Single-use secrecy: the system gets one chance to use a key, and never again.
- No multi-use leakage window: attacks that rely on lingering electrical state are simply defeated, because the state is gone.
How ENP-P™ Maps to the Paper
The TechRxiv paper formalizes ENP-P™ as a measurement–collapse primitive. It shows:
- A CMOS-compatible 256-bit read-once cell
- Per-cycle basis-conditioned access (the predicate)
- A grounding network implementing the collapse
- Security implications for PQC ephemeral decapsulation secrets
- Why synchronous reset is not atomic collapse
- FPGA instantiations using LUT-based collapse approximations
- How ENP-P™ closes attack surfaces defined in SP 1800-38
The paper focuses especially on electrical non-persistence, demonstrating that preventing a secret from persisting even for a nanosecond longer than necessary removes entire microarchitectural side channels that existing “zeroization” methods cannot touch.
Why This Matters for PQC
Post-quantum KEM decapsulation requires large, ephemeral private values that often persist far longer than intended:
- They remain in registers, BRAM, L1 caches
- They may spill into shared buffers
- They can be captured by DMA or debug fabric
- They may leak under transient execution
- They remain electrically in SRAM even after software overwrites them
ENP-P™ eliminates these exposures by changing the underlying assumption:
There is no opportunity to leak a secret after the read, because the secret no longer exists.
This aligns with NIST SP 1800-38 and NSA’s guidance on ephemeral key protection during PQC migration.
Comparison to “Zeroization” and Flip-Flop Resets
Engineers often assume that tying a read-enable to a synchronous reset is equivalent. It isn’t:
| Method | Collapse Timing | Persistence Window | Vulnerable to Glitch / Speculation? |
|---|---|---|---|
| Synchronous reset | Next rising edge | One full cycle | Yes |
| Asynchronous reset | Not clock-bound, but races | Sub-cycle persistence | Yes |
| Software zeroization | Many cycles | Multi-cycle | Yes |
| ENP-P™ collapse | Immediate electrical event | None | No |
This is why ENP-P™ is a primitive, not a wrapper.
Applications Beyond PQC
- Secure-boot enclaves
- HSMs and TEEs
- Satellite and autonomous swarm systems
- Forward-secure key rotation
- Single-use authorization tokens
- Anti-capture systems for field devices
- Supply-chain / attestation architectures
Anywhere the threat model assumes an attacker with physical, side-channel, or speculative capability, electrical non-persistence removes an attack surface instead of trying to patch it.
Closing Thoughts
ENP-P™ marks the beginning of a new class of memory semantics: the secret that is designed not to persist. This paper is the first to formalize and implement it at the CMOS level, demonstrate FPGA prototypes, and analyze its implications for PQC migration.
If you want deterministic single-use secrecy with provable elimination of electrical persistence, ENP-P™ is the foundation.
Leave a Reply