Patent Pending | GB2610661.7

Encryption that knows where it is.

Post-quantum key derivation bound to verified physical location, registered hardware, and authorised time. Not a policy layer. A cryptographic constraint.

Three-Factor Entropy-Fused Geo-Fenced Encryption

See the Threat Context Discuss Your Use Case

ML-KEM-1024TPM 2.0GPS | Galileo | GLONASSAES-256-GCM

Live cryptographic boundary

GNSS

Location verified

TPM

Awaiting input

T+

Awaiting input

encrypt sequence / Acquire signals

Active Threat Context

active

GNSS Interference

GNSS spoofing and jamming incidents have increased across multiple regions. Location-based trust assumptions are under active attack.

escalating

Harvest-Now, Decrypt-Later

Adversaries are collecting encrypted data today, waiting for quantum capability. PQC migration pressure is real and time-sensitive.

urgent

PQC Migration Pressure

NIST finalised ML-KEM and ML-DSA in 2024. Organisations not migrating to post-quantum key establishment are exposed.

structural

Credential Portability Failure

Valid credentials used from unauthorised locations represent a structural gap that policy-based access control cannot close cryptographically.

The Problem

Policy-based access control has structural gaps.

Identity and access management controls who is allowed. It does not change whether the key can be re-derived at all. A stolen credential, a cloned device, or an intercepted session token used from outside the authorised boundary can still unlock protected data.

GFAE addresses this at the key derivation layer. The decryption key itself becomes impossible to re-derive outside the authorised physical, hardware, and temporal context.

Harvest-Now, Decrypt-Later

Quantum-era threat to today's encrypted data.

Location Spoofing

Software-layer geolocation trivially bypassed.

Device Cloning

Credential stores copied without hardware root.

Stolen Credentials

Valid tokens used from any global location.

How GFAE Works

Four inputs enter. One bound key emerges.

A post-quantum secret is fused with verified location context, hardware attestation, and an authorised time window. Switch between encryption and decryption below to see why copied ciphertext is not enough.

Full technical architecture

Live concept visualisation

Choose a direction and watch the gating sequence resolve.

PQC secret

ML-KEM-1024

Signal context

GNSS integrity

...

Hardware root

TPM 2.0

...

Time epoch

Window T+04

...

Fusion engine

PROCESSING

HKDF-SHA-512

Generating post-quantum shared secret

Ciphertext output

Awaiting fused key material...

Concept-level visualisation. Missing or invalid location, hardware, or time input produces no usable key output.

Threat Fit Analysis

Attack-to-GFAE Matrix

Selected entries. Full matrix includes 10 attack scenarios across all sectors.

Attack / Failure Mode	Existing Gap	GFAE Response
GNSS Spoofing / Signal Injection	Browser geolocation and IP-based checks trivially bypassed; no signal-level validation.	GFAE incorporates physical signal-quality context and multi-constellation consensus checks as a key derivation input, raising the cost of location forgery.
Harvest-Now, Decrypt-Later (HNDL)	Encrypted data captured today can be decrypted once quantum computers reach sufficient scale. RSA / ECDH ciphertext is already at risk.	GFAE uses ML-KEM-1024 (NIST FIPS 203 final standard) for post-quantum key establishment, protecting long-lived ciphertext against future quantum attacks.
Stolen Device / Credential Theft	A stolen device with valid credentials can authenticate from any location, at any time.	Key re-derivation in high-assurance mode requires concurrent satisfaction of hardware attestation, physical location context, and time window. A stolen device relocated outside the authorised boundary cannot re-derive the decryption context.
Device Cloning / Emulation	Software credential stores can be cloned; virtual machines can emulate device identifiers.	Hardware attestation using TPM 2.0 provides a hardware-rooted trust anchor. Cloned software credentials without the original hardware cannot pass attestation.
Cloud Region / Data Residency Enforcement Gap	Cloud region labels are policy-based and administrative. Data can be accessed from outside declared regions through misconfigured permissions or compromised IAM.	GFAE binds key derivation to a defined geographic polygon. Decryption is cryptographically impossible outside the authorised polygon, regardless of IAM state.

View full threat matrix

Core Concept

Compliance-by-Geometry

The authorised operating boundary is not just written in policy. It becomes part of the cryptographic enforcement condition.

In regulated environments, data access is governed by geographic boundaries: a healthcare facility, a national jurisdiction, a secure zone. GFAE makes those boundaries real, not as policy rules enforced after the fact, but as cryptographic constraints baked into key derivation. The regulatory boundary and the encryption boundary become the same boundary.

Sectors

Where GFAE applies

GFAE is designed for environments where physical location, hardware identity, and time are legitimate security constraints, not just policy aspirations.

Defence & Military

Protect forward operating base intelligence, UAV command-and-control, and sensitive assets against captured-equipment and spoofing threats.

Learn more

Space & Satellite

Bind ground station telemetry and command keys to the physical station polygon and the specific contact window.

Learn more

NHS & Healthcare

Enforce facility-bound clinical data access with cryptographic geofencing aligned to GDPR Article 25 privacy-by-design principles.

Learn more

Critical Infrastructure

Restrict SCADA and control-room access to authorised physical sites and maintenance windows with cryptographic enforcement.

Learn more

Enterprise

Enforce cloud data residency, legal document access controls, and regulated sector compliance with a cryptographic boundary.

Learn more

Comparison

How GFAE differs

GFAE is not a VPN replacement, an IAM upgrade, or a DRM system. It addresses a specific cryptographic layer that none of these cover.

Capability	GFAE	VPN	IAM	Geo DRM	Cloud Policy
Post-quantum key establishment
TPM hardware binding
Live physical signal context
Time-window key derivation
Fail-closed design
Cryptographic boundary enforcement
Anti-spoofing awareness

Partial (|) indicates limited or optional capability. GFAE complements, not replaces, VPN, IAM, and cloud policy layers.

Technical Standards & Context

Patent PendingGB2610661.7

ML-KEM-1024NIST FIPS 203

TPM 2.0Hardware Attestation

HKDF-SHA-512Key Derivation

AES-256-GCMData Encryption

GNSS Signal EntropyMulti-Constellation

University of SurreyMSc Cyber Security

GFAE GlobalFounded 2025

Founded by

Dhruv Saini

Founder & Inventor, GFAE Global

MSc Cyber Security, University of Surrey

Sole InventorPatent PendingMSc Cyber Security

Evaluate GFAE for your organisation.

Technical briefings, NDA disclosure, and pilot discussions available. Suitable for defence innovation reviewers, CISOs, healthcare data governance, space operators, and critical infrastructure evaluators.

Request a Briefing View Illustrative Demo

Patent Pending | GB2610661.7 · Independent research by Dhruv Saini