KEY-TYPES-AND-GENERATION
| Field | Value |
|---|---|
| Name | Key Types and Generation |
| Slug | 84 |
| Status | raw |
| Category | Standards Track |
| Editor | Mehmet Gonen [email protected] |
| Contributors | Marcin Pawlowski [email protected], Youngjoon Lee [email protected], Alexander Mozeika [email protected], Thomas Lavaur [email protected], Álvaro Castro-Castilla [email protected], Filip Dimitrijevic [email protected] |
Timeline
- 2026-05-28 —
d45eed2— Chore: mirror blochain specs into github/mdbook (#347)
Revision History
| Version | Changes | Date |
|---|---|---|
| 1.0.0 | Initial revision. | 2026-04-09 |
Introduction
This document defines the key types used in the Blend protocol and describes the process of generating them.
Overview
This document ensures that the keys are used and generated in a common manner, which is necessary for making the Blend protocol work. The keys include:
- Non-ephemeral Quota Key (NQK) — used for proving that a node is a core node.
- Non-ephemeral Signing Key (NSK) — used to authenticate the node on the network level and derive the Non-ephemeral Encryption Key.
- Ephemeral Signing Key (ESK) — used for signing Blend messages, one per encapsulation.
- Non-ephemeral Encryption Key (NEK) — used for deriving shared secrets for message encryption.
- Ephemeral Encryption Key (EEK) — used for encrypting Blend messages, one per encapsulation.
Construction
Non-ephemeral Quota Key
A node generates a Non-ephemeral Quota Key (NQK) that is a ZkSignature (Zero Knowledge Signature Scheme (ZkSignature)). The NQK is stored on the ledger as the zk_id field in the DeclarationInfo of the node’s outcome of the participation in the Service Declaration Protocol (SDP — [1.0.0] Service Declaration Protocol).
The NQK is used to prove that the node is part of the set of core nodes as indicated through the SDP.
Non-ephemeral Signing Key
A node generates a Non-ephemeral Signing Key (NSK) that is a Ed25519 key. The NSK is stored on the ledger as the provider_id field in the DeclarationInfo of the node’s outcome of the participation in the Service Declaration Protocol (SDP — [1.0.0] Service Declaration Protocol).
The NSK is used to authenticate the node on the network level and to derive Non-ephemeral Encryption Key.
Ephemeral Signing Key
A node generates Ephemeral Signing Keys (ESK) that are proved to be limited in number by the Proof of Quota (PoQ — [1.0.1] Proof of Quota). The PoQ for core nodes requires a valid NQK for the session for which the PoQ is generated.
A unique signing key must be generated for every encapsulation as required by the [1.0.0] Message Encapsulation Mechanism.
The key must not be reused. Otherwise, the messages that reuse the same key can be linked together. The node is responsible for not reusing the key.
Non-ephemeral Encryption Key
A node generates a Non-ephemeral Encryption Key (NEK). It is an X25519 curve key derived from the NSK (Ed25519) public key retrieved from the provider_id, which is stored on the ledger when the node executes the SDP protocol.
The NEK key is used for deriving a shared secret (alongside EEK defined below) for the Blend message encapsulation purposes.
Ephemeral Encryption Key
A node derives an Ephemeral Encryption Key (EEK) pair using the X25519 curve from the ESK.
A unique encryption key must be generated for every encapsulation as required by the [1.0.0] Message Encapsulation Mechanism.
The derivation of a shared secret for the encryption of an encapsulated message requires using the EEK of the sender and the derived X25519 key from the NEK of the recipient.
The key must not be reused. Otherwise, the messages that reuse the same key can be linked together. The node is responsible for not reusing the key.