|
1 | | ---- |
2 | | -slug: root-keypair-generation |
3 | | -title: Root Keypair Generation in Polykey |
4 | | -authors: [Christina] |
5 | | -tags: ['cryptography', 'security', 'elliptic-curve', 'ed25519', 'polykey'] |
6 | | ---- |
7 | | - |
8 | 1 | # Root Keypair Generation in Polykey |
9 | 2 |
|
10 | 3 | Polykey’s entire encryption model revolves around Hybrid Elliptic Curve Integrated Encryption Scheme (ECIES), and the Root Keypair is the foundation of everything. It’s the cryptographic identity of a node, making secure communication, encryption, and key derivation possible. |
11 | 4 |
|
12 | 5 | This doc covers: |
13 | | -* What the Root Keypair is. |
14 | | -* How it’s generated. |
15 | | -* How it spits out a DEK (Data Encryption Key). |
| 6 | + * What the Root Keypair is. |
| 7 | + * How it’s generated. |
| 8 | + * How it spits out a DEK (Data Encryption Key). |
16 | 9 |
|
17 | 10 | --- |
18 | 11 |
|
19 | | -## What is the Root Keypair? |
| 12 | +## What is the Root Keypair? |
20 | 13 | The Root Keypair is an Ed25519 elliptic curve keypair that serves as the node’s identity in Polykey. |
21 | 14 |
|
22 | 15 | It’s made up of: |
23 | | -* Private Key **:** A 256-bit secret, randomly generated and never shared. |
24 | | -* Public Key **:** Derived from the private key and used for authentication and key exchange. |
| 16 | + * Private Key: A 256-bit secret, randomly generated and never shared. |
| 17 | + * Public Key: Derived from the private key and used for authentication and key exchange. |
25 | 18 |
|
26 | | -### Why do we care? |
27 | | -1. Identity **:** Every Polykey node has a unique Root Public Key |
28 | | -2. Key Exchange **:** It’s used in the Key Encapsulation Mechanism (KEM) to securely share encryption keys. |
29 | | -3. Data Encryption **:** It’s how we derive a DEK , which encrypts stored data. |
| 19 | +### Why do we care? |
| 20 | +1. Identity: Every Polykey node has a unique Root Public Key. |
| 21 | +2. Key Exchange: It’s used in the Key Encapsulation Mechanism (KEM) to securely share encryption keys. |
| 22 | +3. Data Encryption: It’s how we derive a DEK, which encrypts stored data. |
30 | 23 |
|
31 | 24 | --- |
32 | 25 |
|
33 | | -## Generating the Root Keypair |
34 | | -The process is deterministic, secure, and clean: |
| 26 | +## Hybrid Cryptosystem Overview |
| 27 | +Before generating the Root Keypair, we need to understand how encryption works in Polykey. |
| 28 | + |
| 29 | +A hybrid cryptosystem consists of: |
| 30 | +1. Key Encapsulation Mechanism (KEM): Uses asymmetric encryption (Ed25519) to securely transmit a symmetric key. |
| 31 | +2. Data Encapsulation Scheme (DEM): Uses symmetric encryption (AES/ChaCha20) for bulk encryption of Polykey’s state. |
| 32 | + |
| 33 | +Before we can encrypt anything, we must generate the Ed25519 Root Keypair. |
| 34 | + |
| 35 | +[Insert Image Here: Hybrid Cryptosystem Diagram] |
| 36 | + |
| 37 | +--- |
| 38 | + |
| 39 | +## Generating the Root Keypair |
| 40 | +The process is deterministic, secure, and clean. |
| 41 | + |
| 42 | +### Step 1: Root Keypair Generation Begins |
| 43 | + * The user or console triggers keypair generation. |
| 44 | + * The system gathers high-entropy randomness to ensure security. |
| 45 | + |
| 46 | +[Insert Image Here: Root Keypair Generation Trigger] |
| 47 | + |
| 48 | +--- |
| 49 | + |
| 50 | +### Step 2: BIP39 Wordlist & Recovery Code |
| 51 | + * Entropy is converted into a mnemonic phrase using the BIP39 English Wordlist . |
| 52 | + * The 24-word recovery code represents 264 bits of entropy. |
| 53 | + |
| 54 | +[Insert Image Here: BIP39 Recovery Code Generation] |
| 55 | + |
| 56 | +--- |
| 57 | + |
| 58 | +### Step 3: Mnemonic to Binary Seed |
| 59 | + * The 24-word recovery code is converted into a binary seed using PBKDF2. |
| 60 | + * Uses HMAC-SHA512 with 2048 iterations. |
| 61 | + * The binary seed is 512 bits, then truncated to 256 bits. |
| 62 | + |
| 63 | +[Insert Image Here: PBKDF2 & Binary Seed Truncation] |
| 64 | + |
| 65 | +--- |
| 66 | + |
| 67 | +### Step 4: Generating the Keypair |
| 68 | + * The 256-bit seed is fed into the Ed25519 algorithm to generate a private key. |
| 69 | + * Scalar multiplication is performed to derive the public key. |
| 70 | + |
| 71 | +[Insert Image Here: Private Key & Public Key Generation] |
| 72 | + |
| 73 | +--- |
35 | 74 |
|
36 | | -1. Get High Entropy Randomness |
37 | | - * A cryptographically secure random number generator (CSPRNG) provides the randomness needed. |
38 | | - * This ensures the private key is unpredictable and safe. |
| 75 | +## How is the DEK Made? |
| 76 | +The Data Encryption Key (DEK) is derived from the Root Keypair using a Key Derivation Function (KDF). |
39 | 77 |
|
40 | | -2. Generate the Ed25519 Keypair |
41 | | - * A 256-bit private key is generated. |
42 | | - * A public key is derived from it using Curve25519 elliptic curve math. |
| 78 | +1. Elliptic Curve Diffie-Hellman (ECDH) |
| 79 | + * The Root Private Key and another node’s Public Key are combined to create a shared secret. |
| 80 | + |
| 81 | +2. Run It Through a KDF |
| 82 | + * A Key Derivation Function (likely HKDF-SHA256) converts the shared secret into a 256-bit symmetric DEK. |
43 | 83 |
|
44 | | -3. Store the Keypair |
45 | | - * The private key is stored securely in the Polykey vault. |
46 | | - * The public key is used for authentication and key exchange. |
| 84 | +3. Store or Re-Derive the DEK |
| 85 | + * The DEK is either stored securely or regenerated when needed. |
47 | 86 |
|
48 | | -4. Use It to Generate a DEK |
49 | | - * The Root Keypair is fed into a KDF (Key Derivation Function) to generate a DEK (Data Encryption Key). |
50 | | - * The DEK is then used to encrypt Polykey’s stored data. |
| 87 | +[Insert Image Here: DEK Generation Process] |
51 | 88 |
|
52 | 89 | --- |
53 | 90 |
|
54 | | -## How is the DEK Made? |
55 | | -The DEK (Data Encryption Key) is derived from the Root Keypair using a KDF. Here’s the breakdown: |
| 91 | +## Final Output: The Root Keypair |
| 92 | + * The final result is a Public and Private Keypair, each 32 bytes (256 bits) long. |
| 93 | + * Key size benefits: |
| 94 | + * More efficient than RSA prime factorization. |
| 95 | + * 256-bit Ed25519 key provides same security as a 3072-bit RSA key. |
| 96 | + * Public key can be encoded using multibase base32z. |
56 | 97 |
|
57 | | -1. Elliptic Curve Diffie-Hellman (ECDH) |
58 | | - * The Root Private Key and another node’s Public Key are combined to create a shared secret. |
59 | | - |
60 | | -2. Run It Through a KDF |
61 | | - * A Key Derivation Function (probably HKDF-SHA256) turns the shared secret into a 256-bit symmetric DEK. |
62 | | - |
63 | | -3. Store or Re-Derive the DEK |
64 | | - * The DEK is either stored securely or regenerated when needed. |
| 98 | +[Insert Image Here: Final Root Keypair Output] |
65 | 99 |
|
66 | 100 | --- |
67 | 101 |
|
68 | | -## Wrapping it Up |
69 | | -The Root Keypair is the cornerstone of Polykey’s encryption model. It enables secure messaging, key exchange, and encryption using Ed25519 elliptic curve cryptography. |
| 102 | +## Wrapping It Up |
| 103 | +The Root Keypair is the foundation of Polykey’s encryption model. It enables: |
| 104 | +* Secure messaging |
| 105 | +* Key exchange |
| 106 | +* Encryption using Ed25519 elliptic curve cryptography . |
70 | 107 |
|
71 | | -The DEK, derived from the Root Keypair, locks down all stored data with strong encryption. This whole setup is more efficient, faster, and more secure than traditional RSA-based encryption. |
| 108 | +The DEK, derived from the Root Keypair, locks down all stored data with strong encryption. |
| 109 | +This entire setup is faster, more efficient, and more secure than traditional RSA-based encryption. |
72 | 110 |
|
73 | | -That’s it. Root Keypair = Identity. DEK = Encrypted data. Simple, secure, and built for performance. |
| 111 | +That’s it. Root Keypair = Identity. DEK = Encrypted data. Simple, secure. |
0 commit comments