Comment on page
The Initialization Of Secret Network
Secret Network is set up to perform computation while having encrypted state, input and output. The state is encrypted using private keys generated during the network bootstrapping from a
consensus_seed
. The bootstrap node was the first full node on the network and generated the shared secrets similar to a universal trusted zero knowledge setup.The bootstrap node first does a remote attestation to prove they are running a genuine SGX enclave with updated software. After registering the bootstrap node handled the initialization of following variables:
Consensus_seed
a true random 256 bit seed used as entropy for generating shareable keypairs between the nodes of the network.consensus_seed_exchange_pubkey
-consensus_seed_exchange_pubkey
an HDKF private key and a matching curve25519 public key for encryption of the random seed and sharing this with other full nodes in the network.consensus_io_exchange_pubkey
-consensus_io_exchange_pubkey
an HDKF private key and a matching curve25519 public key for encrypting transactions IO in the network. Also referenced as the "Secret Network keypair".consensus_state_ikm
An input keyring material (IKM) for HKDF-SHA256 is used to derive encryption keys for contract state.consensus_callback_secret
A curve25519 private key is used to create callback signatures when contracts call other contracts
The bootstrap node proves to have a genuine enclave after which it can participate in the network. More information can be found on this page.
The bootstrap node is instructed when started to generate a true random 256 bit seed inside the enclave, the
consensus_seed
.The
consensus_seed
is sealed with MRSIGNER to a local file : $HOME/.sgx_secrets/consensus_seed.sealed
// 256 bits
consensus_seed = true_random({ bytes: 32 });
seal({
key: "MRSIGNER",
data: consensus_seed,
to_file: "$HOME/.sgx_secrets/consensus_seed.sealed",
});
For the network to start decentralizing the bootstrap node needs to be able to share the
consensus_seed
. The network can then use the seed to create shared secrets while in the enclave. To securely share the seed the Network uses a DH-key exchange.Using HKDF-SHA256,
hkdf_salt
and consensus_seed
a private key is derived. From consensus_seed_exchange_privkey
calculate consensus_seed_exchange_pubkey
consensus_seed_exchange_privkey = hkdf({
salt: hkdf_salt,
ikm: consensus_seed.append(uint8(1)),
}); // 256 bits
consensus_seed_exchange_pubkey = calculate_curve25519_pubkey(
consensus_seed_exchange_privkey
);
Using HKDF-SHA256,
hkdf_salt
and consensus_seed
a private key is derived. - From consensus_io_exchange_privkey
calculate consensus_io_exchange_pubkey
consensus_io_exchange_privkey = hkdf({
salt: hkdf_salt,
ikm: consensus_seed.append(uint8(2)),
}); // 256 bits
consensus_io_exchange_pubkey = calculate_curve25519_pubkey(
consensus_io_exchange_privkey
);
Using HKDF-SHA256,
hkdf_salt
and consensus_seed
derive consensus_state_ikm
consensus_state_ikm = hkdf({
salt: hkdf_salt,
ikm: consensus_seed.append(uint8(3)),
}); // 256 bits
5.
consensus_callback_secret
Using HKDF-SHA256,
hkdf_salt
and consensus_seed
derive consensus_callback_secret
consensus_state_ikm = hkdf({
salt: hkdf_salt,
ikm: consensus_seed.append(uint8(4)),
}); // 256 bits
Publish to
genesis.json
:- The remote attestation proof that the Enclave is genuine
consensus_seed_exchange_pubkey
consensus_io_exchange_pubkey
Last modified 9mo ago