Umbra Privacy LogoUmbra Privacy
Key & Address Architecture

Linker and Memo Key Derivation

Protocol for deriving linker and memo keys from Individual Transaction Keys using domain-separated PRF calls

Protocol Description

Each ITK is used as input to a Key Derivation Function (KDF) to produce two final keys using domain-separated PRF calls.

klinkerPoseidon(kITK,EncodeAsFieldElement("Linker-Key"))kmemoPoseidon(kITK,EncodeAsFieldElement("Memo-Key"))\begin{align} k_{\text{linker}} &\triangleq \text{Poseidon}( k_{\text{ITK}}, \text{EncodeAsFieldElement}(\text{"Linker-Key"}) ) \\ k_{\text{memo}} &\triangleq \text{Poseidon}( k_{\text{ITK}}, \text{EncodeAsFieldElement}(\text{"Memo-Key"}) ) \end{align}

Key Derivation Process

Linker Key Derivation

  1. Input: Individual Transaction Key kITKk_{\text{ITK}}
  2. Domain Separation: String "LinkerKey""Linker-Key" encoded as field element
  3. Hash Function: Poseidon hash function
  4. Output: Linker key klinkerk_{\text{linker}}

Memo Key Derivation

  1. Input: Individual Transaction Key kITKk_{\text{ITK}} (same as linker)
  2. Domain Separation: String "MemoKey""Memo-Key" encoded as field element
  3. Hash Function: Poseidon hash function
  4. Output: Memo key kmemok_{\text{memo}}

Domain Separation

The use of distinct domain separator strings ensures:

  • Independence: Linker and memo keys are computationally independent
  • Uniqueness: Different inputs to the PRF for each key type
  • Security: Prevents cross-contamination between key purposes

Key Purposes

Linker Key (klinker)(k_{\text{linker}})

  • Transaction Linking: Links transactions to specific recipients
  • Deposit Linking: Links deposits to Umbra addresses
  • Claim Linking: Links claims to specific commitments
  • Privacy Preserving: Appears random without the ITK

Memo Key (kmemo)(k_{\text{memo}})

  • Memo Encryption: Used for encrypting transaction memos
  • Metadata Protection: Protects sensitive transaction metadata
  • Optional Information: Can store additional transaction details
  • Independent Security: Separate from linker functionality

Security Analysis

Security Proof: Independence of Linker and Memo Keys

Argument: The use of distinct domain separator strings ensures that the inputs to the PRF are always different for the two derivations. Therefore, the outputs klinkerk_{\text{linker}} and kmemok_{\text{memo}} are computationally independent and pseudorandom to any party not in possession of kITKk_{\text{ITK}}.

Properties

  • Independent: Linker and memo keys are computationally independent
  • Pseudorandom: Both appear as random field elements
  • ITK-Dependent: Only derivable by holders of the kITKk_{\text{ITK}}
  • Purpose-Specific: Each key has a distinct cryptographic purpose
  • Domain-Separated: Uses different domain strings for security

Individual Transaction Key (ITK) Creation

Protocol for deriving unique transaction keys from MVKs and timestamps for deposits and claims

Registration of MVKs On-Chain

Protocol rule for mandatory on-chain registration of encrypted Master Viewing Keys as a prerequisite for transactions

On this page

Protocol DescriptionKey Derivation ProcessLinker Key DerivationMemo Key DerivationDomain SeparationKey PurposesLinker Key (klinker)(k_{\text{linker}})Memo Key (kmemo)(k_{\text{memo}})Security AnalysisSecurity Proof: Independence of Linker and Memo KeysProperties