Umbra PrivacyKey Architecture Overview
Understanding Umbra's cryptographic key structure for privacy, spending authority, confidential accounts, and auditability
The Umbra Protocol uses a four-key cryptographic model that decouples transaction authority into distinct layers: L1 Interaction, Confidential Account Visibility, Shielded Spending, and Auditing. This architecture allows users to maintain privacy and spend authority while providing granular, opt-in auditability for compliance or personal tracking.
Unlike standard blockchains where a single public key represents both identity and history, Umbra uses a User Commitment Tree-a unified identity derived from three of the four keypairs (the X25519 Keypair operates independently).
The Four Keys
User Commitment Binding
Three of the four keys are cryptographically bound into a unified shielded identity. The X25519 Keypair operates independently.
The Four-Key Model
Every entity interacting with Umbra must generate and manage four distinct keys, each serving a specific cryptographic purpose:
| Key Type | Cryptographic Primitive | Primary Purpose | In Commitment? |
|---|---|---|---|
| L1 Interaction Key | Ed25519 Keypair | L1 chain + ETA ownership | Yes |
| X25519 Keypair | X25519 (Curve25519 ECDH) | ETA visibility + MPC communication | No |
| Shielded Spending Key | BN254 Scalar Field Element | Zero-knowledge proof generation for UTXO spending | Yes |
| Master Viewing Key | 252-bit Integer | Decryption and auditability without spending authority | Yes |
Two Domains: Mixer Pool vs. Encrypted Token Accounts
Umbra operates across two distinct privacy domains, each using different keys:
Mixer Pool (Shielded UTXOs)
For anonymous, unlinkable transfers through the unified mixer pool:
| Key | Role |
|---|---|
| L1 Interaction Key | Deposits into and withdrawals from the mixer |
| Shielded Spending Key | Proves ownership and spends UTXOs via ZK proofs |
| Master Viewing Key | Decrypts transaction history for auditing |
Encrypted Token Accounts (ETAs)
For confidential balance storage and direct transfers:
| Key | Role |
|---|---|
| L1 Interaction Key | Ownership and control of ETA funds |
| X25519 Keypair | Visibility-derives shared secret with Umbra MXE to decrypt balances and communicate with MPC |
Key Independence & Security Model
The four keys in Umbra's architecture can be either fully independent or deterministically derived from a common source. This choice is entirely up to the end users of the protocol and integrating developers, and represents a fundamental tradeoff between two security paradigms:
Two Security Paradigms
Information-Theoretic Security (Random Generation)
When keys are generated independently and randomly, they achieve information-theoretic security. This means that even an adversary with unlimited computational power cannot derive one key from another, because there is simply no mathematical relationship between them.
Characteristics:
- Each key is sampled from a cryptographically secure random number generator (CSPRNG)
- No key can be computed from any other key, regardless of computational resources
- Compromise of one key provides zero information about the others
- Provides the strongest possible independence guarantee
Tradeoffs:
- Each key must be stored and backed up separately
- Loss of any key's backup means permanent loss of that key's functionality
- More complex key management (4+ separate secrets to secure)
- No single point of recovery
Cryptographic Security (Deterministic Derivation)
When keys are deterministically derived from a single master seed, they achieve cryptographic security. This means that deriving one key from another is computationally infeasible-it would require breaking the underlying cryptographic assumptions (e.g., the security of KMAC-256 or the discrete logarithm problem).
Characteristics:
- All keys are derived from a single master seed using domain-separated key derivation functions
- Keys are computationally independent: deriving one from another requires breaking cryptographic assumptions
- Single backup (the master seed) enables recovery of all keys
- Practical security equivalent to information-theoretic security against realistic adversaries
Tradeoffs:
- Compromise of the master seed compromises all derived keys
- Single point of failure for backups (but also single point of recovery)
- Relies on the security of the key derivation function (e.g., KMAC-256)
- Simpler key management (1 seed to secure)
Comparison of Approaches
| Aspect | Random Generation | Deterministic Derivation |
|---|---|---|
| Security Model | Information-theoretic | Cryptographic |
| Independence | Unconditionally independent | Computationally independent |
| Adversary Assumption | Secure against unbounded adversaries | Secure against polynomial-time adversaries |
| Backup Complexity | 4+ separate secrets | 1 master seed |
| Single Point of Failure | None (distributed risk) | Master seed |
| Recovery Simplicity | Complex (need all backups) | Simple (derive from seed) |
| Key Compromise Impact | Isolated to that key only | Isolated if only derived key leaked; total if seed leaked |
| Recommended For | Maximum security, institutional custody | Ease of use, personal wallets |
Protocol Requirements
Regardless of which approach is chosen, each key must satisfy its specific validity conditions:
| Key | Condition |
|---|---|
| L1 Interaction Key | Valid Ed25519 keypair (any 32-byte seed produces a valid key) |
| X25519 Keypair | Valid X25519 keypair (any 32-byte seed produces a valid key) |
| Shielded Spending Key | Must be strictly less than the BN254 scalar field modulus: |
| Master Viewing Key | Must be exactly 252 bits (for Rescue cipher field compatibility) |
| Blinding Factors | Must be valid BN254 field elements |
The protocol does not care how these conditions are met-only that they are met. Users can generate keys randomly, derive them deterministically, use hardware security modules, implement threshold schemes, or any combination thereof.
Hybrid Approaches
Advanced users may choose hybrid strategies that combine both paradigms:
Example 1: Isolated Spending Key
- Derive L1, X25519, and MVK from a master seed (convenience)
- Generate Spending Key randomly and store separately (maximum spending security)
- Rationale: The spending key is the most critical; isolating it limits blast radius
Example 2: Hardware-Backed Critical Keys
- Store L1 and Spending Key in hardware security module (HSM)
- Derive X25519 and MVK from software seed (acceptable for view-only)
- Rationale: Hardware isolation for keys that control funds
Example 3: Threshold Rescue Key for DAOs
- Derive L1, Spending Key, and MVK deterministically per user
- Use Distributed Key Generation (DKG) for shared X25519 Key
- Rationale: DAO treasury visibility requires quorum, but individual spending is personal
Blinding Factors
The blinding factors used in the User Commitment Tree follow the same independence model:
- Random blinding factors provide information-theoretic hiding of the underlying keys
- Derived blinding factors provide cryptographic hiding and are recoverable from the master seed
Both approaches produce a secure User Commitment. The Umbra SDK uses derived blinding factors for ease of backup and recovery, but users requiring maximum theoretical security can generate them randomly.
Compromise & Loss Scenarios
The consequences of key compromise or loss differ dramatically based on whether keys were generated independently (information-theoretic security) or derived from a master seed (cryptographic security). This section provides detailed analysis of each scenario.
Scenario Analysis: Deterministic Derivation
When all keys are derived from a single master seed, security events follow a correlated pattern.
Master Seed Compromise
What happens: An attacker gains access to the master seed (e.g., via phishing, malware, physical theft, or backup breach).
Immediate consequences:
| Asset Type | Impact | Severity |
|---|---|---|
| Encrypted Token Accounts | Attacker can derive L1 key and drain all ETA funds immediately | Critical |
| Mixer Pool UTXOs | Attacker can derive Spending Key and spend all shielded funds | Critical |
| Transaction History | Attacker can derive MVK and view complete transaction history | High |
| ETA Balances | Attacker can derive X25519 key and see all confidential balances | High |
Attack timeline:
- Attacker derives all four keys from the compromised seed
- Attacker drains ETAs via L1 key (immediate, visible on L1 chain)
- Attacker spends mixer UTXOs via Spending Key (requires generating ZK proofs)
- Attacker decrypts all historical and future transaction data via MVK
- Complete loss of funds and privacy
Mitigation after detection:
- No recovery possible for already-stolen funds
- Immediately move any remaining funds to a new identity with fresh seed
- Assume all historical transaction privacy is permanently compromised
Individual Derived Key Exposure
What happens: An attacker gains access to a single derived key (not the master seed itself).
L1 Interaction Key compromised (derived):
| Impact | Details |
|---|---|
| ETA funds | At risk-attacker can transfer all ETA balances |
| Mixer deposits | Attacker can deposit your ETAs into mixer (to their commitment) |
| Mixer UTXOs | Safe-attacker cannot derive Spending Key from L1 key alone |
| Recovery | User still has master seed; can create new identity and migrate funds from mixer |
| Privacy | Transaction history and balances remain private |
Shielded Spending Key compromised (derived):
| Impact | Details |
|---|---|
| Mixer UTXOs | At risk-attacker can spend all shielded funds |
| ETA funds | Safe-attacker cannot derive L1 key from Spending Key |
| Recovery | User still has L1 control; ETA funds secure |
| Privacy | Attacker cannot view transaction history (needs MVK) |
| Urgency | Must spend all mixer UTXOs to new commitment immediately |
Master Viewing Key compromised (derived):
| Impact | Details |
|---|---|
| Funds | Safe-MVK provides no spending authority |
| Privacy | Completely compromised-all past and future transactions visible |
| Recovery | Cannot "unsee" leaked information; must migrate to new identity for future privacy |
| Ongoing risk | Attacker can continue monitoring if user doesn't migrate |
X25519 Keypair compromised (derived):
| Impact | Details |
|---|---|
| Funds | Safe-Rescue key provides no spending authority |
| ETA visibility | Compromised-attacker can see all ETA balances |
| MPC communication | Attacker can decrypt MPC results meant for user |
| Mixer privacy | Unaffected-mixer uses different encryption (MVK-based) |
Master Seed Loss (Deterministic)
What happens: User loses access to the master seed (hardware failure, forgotten password, lost backup).
If no individual key backups exist:
| Key | Recovery | Consequence |
|---|---|---|
| L1 Interaction Key | Impossible | ETA funds permanently inaccessible |
| X25519 Keypair | Impossible | Cannot decrypt ETA balances (funds still exist but invisible) |
| Shielded Spending Key | Impossible | Mixer funds permanently locked forever |
| Master Viewing Key | Impossible | Transaction history permanently unreadable |
| Blinding Factors | Impossible | Cannot reconstruct User Commitment for ZK proofs |
Critical insight: In deterministic derivation, losing the master seed is equivalent to losing ALL keys simultaneously. This is both the greatest risk and the simplest recovery model-everything depends on one secret.
Mitigation strategies:
- Geographic distribution of seed backups
- Hardware security modules with backup procedures
- Multi-signature custody for institutional users
- Regular verification that backups are recoverable
Scenario Analysis: Independent Random Generation
When each key is generated independently, security events are isolated but recovery is more complex.
Individual Key Compromise (Independent)
L1 Interaction Key compromised (independent):
| Impact | Details |
|---|---|
| ETA funds | At risk-attacker can transfer all ETA balances |
| Mixer UTXOs | Completely safe-no mathematical relationship to Spending Key |
| Other keys | Completely safe-attacker gains zero information about them |
| Recovery | Migrate ETAs to new L1 key; mixer funds remain secure with existing keys |
Shielded Spending Key compromised (independent):
| Impact | Details |
|---|---|
| Mixer UTXOs | At risk-attacker can spend all shielded funds |
| ETA funds | Completely safe-no mathematical relationship to L1 key |
| Privacy | Still protected-attacker cannot derive MVK |
| Recovery | Spend remaining mixer funds to new commitment; ETAs unaffected |
Master Viewing Key compromised (independent):
| Impact | Details |
|---|---|
| All funds | Completely safe-MVK has no spending authority |
| Privacy | Fully compromised for mixer transactions |
| Other keys | Completely safe-attacker cannot derive L1 or Spending Key |
| Recovery | Must migrate to new identity for future privacy; cannot undo historical leak |
X25519 Keypair compromised (independent):
| Impact | Details |
|---|---|
| All funds | Completely safe-Rescue key has no spending authority |
| ETA visibility | Compromised-attacker sees all ETA balances |
| Mixer privacy | Unaffected-completely separate encryption system |
| Other keys | Completely safe-no derivation relationship |
Key advantage of independent generation: Each compromise is perfectly isolated. An attacker who obtains your MVK learns absolutely nothing about your Spending Key or L1 key-not even probabilistically.
Individual Key Loss (Independent)
L1 Interaction Key lost (independent):
| Consequence | Details |
|---|---|
| ETA funds | Permanently inaccessible-no way to authorize transfers |
| Mixer funds | Fully accessible-Spending Key is independent |
| Recovery | None for ETAs; mixer funds can be moved to new identity |
Shielded Spending Key lost (independent):
| Consequence | Details |
|---|---|
| Mixer funds | Permanently locked forever-no recovery mechanism exists |
| ETA funds | Fully accessible-L1 key is independent |
| Blinding factors | If also lost, commitment cannot be reconstructed |
| Recovery | None for mixer; ETAs unaffected |
Master Viewing Key lost (independent):
| Consequence | Details |
|---|---|
| All funds | Fully accessible-MVK not required for spending |
| Transaction history | Permanently unreadable |
| Compliance | Cannot provide audit trail for historical transactions |
| Recovery | None; future transactions can use new MVK with new commitment |
X25519 Keypair lost (independent):
| Consequence | Details |
|---|---|
| All funds | Fully accessible-can still transfer via L1 key |
| ETA visibility | Cannot see own balances (blind operation) |
| Recovery | Can register new Rescue key on-chain for future visibility |
Key risk of independent generation: Each key loss is also isolated. Losing your Spending Key backup means mixer funds are gone forever, even if all other keys are perfectly secure.
Multiple Key Loss (Independent)
With independent generation, losing multiple keys compounds consequences:
| Keys Lost | Consequence |
|---|---|
| L1 + Spending | All funds permanently inaccessible |
| L1 + MVK | ETAs inaccessible, mixer operable but no audit history |
| Spending + MVK | Mixer funds locked, but can prove historical compliance if you kept signed statements |
| All four keys | Complete and permanent loss of all funds and history |
Comparative Summary
| Scenario | Deterministic Derivation | Independent Generation |
|---|---|---|
| Single key compromise | Other keys mathematically safe (unless seed leaked) | Other keys unconditionally safe |
| Seed/total compromise | All funds and privacy lost | N/A (no single seed) |
| Single key loss | Recover from seed | Permanent loss of that key's function |
| Seed loss | Total loss of everything | N/A (no single seed) |
| Backup complexity | 1 secret to protect | 4+ secrets to protect |
| Blast radius | Potentially total | Always isolated |
| Recovery simplicity | Very simple if seed safe | Very complex; requires all backups |
| Recommended for | Personal users prioritizing convenience | Institutions prioritizing compartmentalization |
Unified Identity: The User Commitment
In Umbra, a user's Shielded Address is not a public key. It is the Root Hash of a deterministic Merkle Tree, known as the User Commitment. This structure cryptographically binds three of the four keys together.
Note: The X25519 Keypair is intentionally excluded from the User Commitment. It operates independently for ETA visibility and MPC communication.
For detailed information on the tree structure and construction, see User Commitment Tree.
Key Rotation
Key rotation is not currently supported for keys in the User Commitment. Once a User Commitment is created and UTXOs are associated with it, the underlying keys cannot be changed. Users who require new keys must:
- Spend all existing mixer UTXOs to a new User Commitment
- Generate a fresh set of keys
- Create a new User Commitment from the new keys
The X25519 Keypair, being independent of the commitment, could theoretically be rotated with ETA re-encryption, though this is not currently a supported protocol operation.
Selective Transparency & Auditability
How Umbra enables granular viewing access for compliance and auditing without compromising spending authority.
L1 Interaction Key
Understand the L1 Interaction Key - your standard Solana keypair for signing transactions, paying fees, and controlling public funds on the blockchain.