With the arrival of the Niobium milestone, the Internet Computer Protocol (ICP) has made significant strides in its mission to elevate blockchain privacy to new heights. This milestone witnesses the implementation of vetKeys features, which are now live and available to all ICP-based developers. This upgrade opens the door to decentralized key management and on-chain data privacy, marking the beginning of the Internet Computer privacy era.
Blockchain is inherently transparent, which is ideal for integrity and availability. However, this poses a limitation for many real-world applications that rely on privacy (such as messaging, identity verification, healthcare, finance, governance, and gaming).
With vetKeys, developers can seamlessly integrate end-to-end encryption into their applications, ensuring that sensitive data is protected even on public chains. By leveraging a protocol called 'verifiable encryption threshold key derivation,' vetKeys provides strong confidentiality and security even in decentralized environments.
What does the Niobium milestone bring?
The core of vetKeys is a newly integrated verifiable encryption threshold key derivation protocol (vetKD), which allows smart contracts running on the Internet Computer Protocol (ICP), known as 'containers,' to request strongly encrypted keys that are securely derived and managed by subnet nodes.
Derived keys are encrypted using user-provided public keys, ensuring that neither subnet nodes nor containers can access the derived keys. Additionally, users can verify that the keys were generated correctly according to the protocol, that they were correctly encrypted using their public key, and that the keys have not been tampered with.
Now, containers can access this new functionality via the newly introduced system API, allowing developers to access decentralized key management directly within their smart contracts without relying on off-chain components. To achieve seamless integration, the Niobium milestone introduces user- and developer-facing libraries that simplify the process of integrating vetKeys into frontend workflows and backend container logic, making it easier to build privacy-preserving dApps on the Internet Computer.
Additionally, the vetKD protocol allows containers to access threshold decryption, where the decryption operation is securely distributed across various nodes in the subnet. This distributed approach enhances security by eliminating single points of failure: no party can possess enough information to decrypt data on their own; instead, decryption requires the participation of a certain number of nodes, and the results can be cryptographically verified.
Important Note: vetKeys guarantees high confidentiality before decryption. Once plaintext is handed over (for example, to a container), it is no longer considered private data. At this stage, developers are responsible for securely handling data in application logic. Additionally, some applications can benefit from decryption on the container side, where the decrypted content is intentionally revealed to all users at a specific time or event.
What can you build with vetKeys?
By introducing threshold key derivation for containers, vetKeys opens the door to a range of privacy-preserving applications that require confidentiality, flexible access control, and stronger trust guarantees. Beyond privacy, vetKeys extends the chain key functionality of containers with new advanced encryption features, enabling more powerful and secure dApps.
Decentralized Key Management Service (DKMS)
Managing user keys, especially in multi-device and multi-user environments, is extremely complex and prone to errors. vetKeys supports the development of decentralized key management services, allowing users to easily generate, retrieve, and share encrypted keys across devices and with other users. By offloading key derivation work to subnet nodes without exposing the keys, vetKeys simplifies key distribution. Additionally, due to the deterministic nature of threshold key derivation, users can reliably retrieve keys as needed without explicitly storing them anywhere.
On-chain encrypted storage
One of the core applications of DKMS is generating encryption keys to protect data, whether that data is stored in storage containers, on other blockchains, or completely off-chain. With vetKeys, these keys can be securely shared between devices and users, enabling powerful privacy-preserving use cases, including private storage solutions, end-to-end encrypted messaging, password managers, and collaborative applications handling sensitive data.
Identity-based encryption (IBE)
vetKeys supports identity-based encryption, allowing data to be directly encrypted to specific identities, such as principals, Internet identities, email addresses, or even Ethereum addresses. This means that even if a specific user or account has never interacted with a dApp, their data can still be encrypted. By authenticating with their identity on the dApp, users can securely retrieve decryption keys and access data.
Time-lock encryption
Another advanced encryption variant supported by vetKeys is time-lock encryption, which allows senders to encrypt data to a specific timestamp, ensuring that recipients can only decrypt after a certain period. Containers can enforce this time-based access control by requesting threshold decryption of ciphertext only after the scheduled expiration time, effectively sealing sensitive information until the appropriate time. This enables the implementation of time-sensitive applications, such as sealed-bid auctions, time-locked documents, dead man switches, and delayed disclosure NFTs.
Time-lock encryption is also a key building block for preventing Maximum Extractable Value (MEV): By keeping transaction details confidential before they are included in a block, it can prevent adversaries from front-running and reordering transactions.
Threshold BLS signature
Chain Fusion technology allows containers to natively interact with other blockchains (e.g., Bitcoin or Ethereum) without relying on external bridges or trusted intermediaries. This is achieved through a threshold signature scheme that enables containers to instruct subnet nodes to jointly compute ECDSA, Schnorr, and EdDSA signatures.
vetKeys extends this functionality by introducing a new threshold signature scheme for containers: threshold BLS signatures. BLS signatures are particularly suited for multi-chain applications due to their compact size and efficient aggregation properties. By supporting threshold BLS, vetKeys further enhances ICP's interoperability, enabling containers to participate in more advanced multi-chain dApps and protocols.
Verifiable randomness
vetKeys can also act as a Verifiable Random Function (VRF), meaning containers can generate randomness that is not only unpredictable and tamper-proof but also publicly verifiable. Trustworthy randomness is a key cornerstone for various decentralized applications, including trustless online lotteries, fair casino games, and GameFi experiences where the outcomes must be provably fair.
It also plays a critical role in the NFT ecosystem, such as assigning random traits or rarity during the minting process, or enabling chance-based dynamic in-game interactions.
Start building with vetKeys
Developers can now get started with vetKeys through the official documentation:
vetKeys Developer Documentation:
internetcomputer.org/docs/building-apps/network-features/vetkeys/introduction
Libraries and examples:
github.com/dfinity/vetkeys
Engage and interact with the community:
forum.dfinity.org/t/threshold-key-derivation-privacy-on-the-ic/16560
IC content you care about
Technical Progress | Project Information | Global Events
Follow the IC Binance channel
Stay updated with the latest information