UACI assumes an adversary with the following capabilities:

• Access to the generated output (but not the private key vault)
• Ability to apply standard transformations — compression, re-encoding, paraphrasing, format conversion
• Ability to attempt replay attacks using previously captured UACI IDs

UACI does not assume:

• Protection against an adversary with physical access to KMS private keys
• Resilience against adversaries who can modify the PAIR Router itself

Vector: JPEG recompression at low quality settings to destroy watermark. Mitigation: BCH(127, 64) triple redundancy — validated > 99.5% recovery at Q=30 triple compression.

Vector: Format conversion (JPEG → PNG → JPEG) to degrade watermark signal. Mitigation: Spread-spectrum DCT embedding distributes signal across frequency components — resilient to format-preserving re-encoding.

Vector: AI-assisted paraphrasing to remove token-level watermark. Mitigation: Token insertion targets semantic anchors rather than surface tokens — partial resilience. Full robustness against advanced paraphrase attacks is a roadmap item.

Vector: Adversary obtains AES-GCM encryption key. Mitigation: 90-day key rotation; KMS audit logging; compromised key window limited to rotation period.

Vector: Nonce collision enabling ciphertext comparison attacks. Mitigation: 96-bit random nonce per injection — collision probability negligible at operational scale.

Key destruction permanently prevents decryption of associated P3 Capsule. Content watermark remains intact — only the private provenance metadata becomes inaccessible.

Key escrow enables lawful decryption under subpoena without exposing the general key management system.

user_hash and intent_hash are salted SHA-256 digests — original values are never stored in the vault. Salt rotated every 30 days.