The goal of a truly private and decentralized network is moving forward, with the release of vetKeys functionality on the Internet Computer Protocol (ICP) and the arrival of the Niobium milestone. Developers now have tools to create a new wave of trusted on-chain services, opening up vast new realms for dapps.
The openness of blockchains is certainly an advantage, but it conflicts with privacy needs in many use cases. Privacy has long been a consideration for blockchain technology.
As noted by DFINITY Foundation developer evangelist Kristofer Lund, this has become a barrier for many people: 'When you discuss building applications on the blockchain with users in the real world,' he said, 'the conversation almost stops once they learn their data will be public.'
For many organizations, especially those needing to comply with regulations like the EU's General Data Protection Regulation (GDPR), this makes it impossible to build applications on public chains.
Now, vetKeys provide an answer to this concern.
What are vetKeys?
As Kristofer said, the core of vetKeys is 'the ability to create cryptographic keys in a decentralized environment and securely transmit them to users.' He calls it a 'game changer' because it solves the problem of how to protect information privacy on a public network.
In other words, vetKeys offers you the best of both worlds: you can leverage the trust and uptime of public chains without exposing all data. It provides developers with a toolkit to protect user information privacy, even in transparent networks, and importantly, it does so without requiring centralized entities to manage keys.
The engine behind this is known as Verifiable Cryptographic Threshold Key Derivation (vetKD). To understand its practical application, let's look at an example of a secure process to achieve this goal:
Request: Users interacting with the dapp generate temporary, one-time-use 'transmission key pairs' and provide the public part to the dapp's smart contract or container (which is referred to as a container on the Internet Computer).
Access Control: The container checks the user's identity and requests the nodes on the network to derive a specific key for that user, the vetKey.
Derivation Process: Each node in the network independently creates secret shares of the final vetKey, then each node encrypts its share using the user's transmission key. These individual locked shares are then collected and combined into a final secure package for the user. Crucially, no single node can access the complete key, and the key itself is never exposed on the network.
Unlocking: Only the user can decrypt the final derived vetKey on their device using the secret part of their original transmission key. The user can even verify the validity and integrity of the package before opening it.
This setup makes concepts like identity-based encryption (IBE) practically feasible. For instance, in encrypted chat applications, some form of key exchange is usually required, but with vetKeys, Kristofer explains: 'We no longer need that because I can derive your public key; we just use your username as the identifier.'
What can you build with vetKeys
With vetKeys, smart contracts on the Internet Computer can act as gatekeepers, meaning they can enforce rules on who can access keys at what time. The powerful combination of vetKeys and smart key containers provides developers with the opportunity to create a plethora of new applications, of which only a few are listed below.
Personal Data Vaults and Secure Storage
vetKeys enables applications to fully protect individual privacy. Kristofer emphasizes that this model 'only requires me to derive a vetKey for myself and securely transmit it to myself.'
In this model, you can build applications such as secure on-chain journals, password managers, or private notepads, where users derive a key based on their unique identity information that only they can access. This allows them to encrypt their most sensitive personal data and store it on the blockchain, confident that they are the only key holders.
This addresses a classic problem for dapps handling sensitive files: how can users access encrypted documents across different devices without leaking their keys? By using vetKeys to derive a consistent key based on user identity, users can securely access their data from any device, which is crucial for high-security document management.
Secure Communication and Collaboration
vetKeys allows for the construction of systems where users can communicate and share information with complete privacy while managing access control on-chain.
As mentioned, a foundational use case is end-to-end encrypted chat, where developers can create a dapp allowing users to obtain the public key of others using just their usernames to send a secret message. The recipient can obtain their private key to read the message after proving their identity, and the 'container' acts as a gatekeeper, ensuring only the correct user can obtain their key.
Time-Based Reveal
This feature unlocks applications that will only reveal information after a certain period, all enforced by the blockchain.
For auctions or voting, you may want to keep bids confidential. As Kristofer said: 'This way, no one can exploit others' bids for profit.' Using vetKeys, bidders can lock their bids with a key tied to the auction end time, and when the time is up, the container administrator can retrieve the key to unlock all bids at once and display the results.
Another key use case is the 'dead man's switch,' where a journalist holding sensitive information can lock it with a timer-based key. As Kristofer describes: 'They need to enter the interface every 24 hours... press a button to extend the lock time.' If they fail to do so for any reason, the timer runs out, and the key will be found, making the information public.
Fair Financial Systems
For the DeFi world, vetKeys technology provides tools to build applications that can prevent front-running and other forms of market manipulation.
A major issue in DeFi is Maximum Extractable Value (MEV), where most blockchain transactions are broadcast to a public waiting room before confirmation, allowing participants to see and exploit this information for profit. By using vetKey to encrypt transaction details, these participants are blinded, as they cannot see transaction opportunities in the waiting room since the transaction contents remain confidential until the block is finally confirmed.
This simple enforcement of privacy closes off entire exploitation avenues, making DeFi fairer.
Provably Fair Randomness
vetKeys can also support the creation of games or any system where the results must be random and fair to all participants.
A good example is using vetKeys as Verifiable Random Functions (VRFs), meaning it can generate random results that anyone can verify for fairness, which is critical for fair casino games, lotteries, and rare item drops.
Secure On-Chain Signatures and Interoperability
This technology gives smart contracts their own cryptographic 'pens' to sign data, enabling them to interact authoritatively with other blockchains or prove facts to the outside world.
Using vetKeys, containers can instruct the nodes of their subnet to generate standard BLS signatures, which support aggregating multiple individual signatures into a single compact signature, or can be used in multi-signature protocols.
This will make the container itself a decentralized signer, a feature that is a cornerstone for building a more interconnected and trustworthy multi-chain world. It allows containers on the Internet Computer to sign transactions and submit them to another chain or issue verifiable on-chain credentials to users, all without a centralized bridge.
Chain Fusion has already allowed containers to sign transactions. It also supports other schemes like threshold ECDSA, Schnorr, and EdDSA. With vetKeys, containers can now leverage additional signing schemes, opening new possibilities for builders.
The ecosystem is building
Projects in the ICP ecosystem are already exploring these possibilities, from secure messaging and file storage applications to new forms of decentralized governance.
OpenChat is an example, a community chat application running on the Internet Computer. As described by OpenChat co-founder Hamish Peebles: 'OpenChat will use vetKeys to support end-to-end message encryption. By using vetKeys, if users lose their devices, they will be able to securely regenerate their encryption keys and regain access to their messages, which is not possible with any other encrypted messaging service.'
Another project integrating vetKeys is Diode.io. Diode.io CEO Hans Rempel stated, 'With vetKeys, we can quickly store private data in storage containers without needing to create out-of-band encryption methods in advance, allowing us to act swiftly while continuing to provide users with self-custody, private connections, and communication methods.'
Dominic Letz, co-founder and CTO of Diode.io, also emphasized the value of vetKeys for user privacy: 'All data, even when stored in storage containers, is fully end-to-end encrypted. We cannot read it, nor can ICP personnel. In fact, only the data owner, the user of the application, can read and decrypt their data.'
These examples demonstrate the direct and practical value of vetKeys, with more to come in the future.
A New Way of Thinking
While vetKeys opens many doors, developers need to think in new ways to unlock them. As Kristofer warns, 'If you approach it with the mindset of being able to build applications as you did on Web2, you will end up building them incorrectly.'
We need new ways of building. Due to on-chain costs for storing data and generating keys, applications that handle large files or need to change keys frequently must be carefully planned. Successful projects will leverage the advantages of this technology and find clever ways to capitalize on the opportunities it presents.
For example, a paid blog could generate a new key for all its posts each month to reduce costs. Kristofer noted that over time, 'these new design patterns will emerge.' Excitingly, these opportunities are there, waiting for builders to seize them.
The Road Ahead
It is worth noting that the privacy assurance mechanism of vetKeys is comprehensive. It always provides security for your data until it is unlocked. Currently, for optimal security, data can only be unlocked in the user's web browser. Once the smart contract unlocks the data, you can no longer assume that this information is private. 'If you decrypt in the storage container,' Kristofer points out, 'then it becomes public again.'
But this signals the next major leap: Trusted Execution Environments (TEEs). With TEEs, containers will be able to unlock and process data from a securely isolated area inside the node, then relock it, while the node never sees the raw data.
When that day comes, Kristofer stated, it will open doors for 'all conventional Web2 business use cases' to operate entirely privately on public blockchains.
The era of on-chain privacy has truly begun, and it's time to start building.
Ready to start building with vetKeys? Browse the developer documentation for guides and examples:
internetcomputer.org/docs/building-apps/network-features/vetkeys/introduction
IC content that you care about
Technological Advances | Project Information | Global Events
Follow the IC Binance Channel
Stay Updated