XOR encryption with simulated server component. The demo simulates a server fragment S while your browser stores two client fragments C1 and C2. Reconstructing the plaintext requires all three. The gap this simulated approach leaves is what Demo 3 closes.
Alice Chen (ID 1001) has a protected record. The server stores an XOR fragment — D XOR C — where D is the plaintext data and C is Alice's client component. The server alone cannot reconstruct the plaintext.
Your browser holds Alice's component (generated on first visit, stored in localStorage, never sent to the server). When you view Alice's record, the component is applied locally and the data reconstructs.
Click another user. The server returns their fragment — but their component is on their device. Without it, the fragment is unreadable noise.
The client component is stored on one device. Compromise that device — a keylogger, phishing page, or physical access — and the component is exposed. Everything decrypts.
Demo 3 shows what happens when one component is not stored anywhere at all — derived live from the display environment and discarded immediately. No chip to steal.