X25519 Keypair

X25519 keypair for deriving shared secrets via Diffie-Hellman key exchange, enabling encrypted communication and confidential data

Overview

The X25519 Keypair is a Curve25519 elliptic curve keypair used for Diffie-Hellman (DH) key exchange. The primary purpose of this keypair is to derive shared secrets with other parties-without ever transmitting the secret itself over any channel.

The X25519 DH key exchange works as follows:

You have your X25519 private key (kept secret)
The other party has their X25519 public key (publicly known)
You perform the X25519 scalar multiplication: $\text{SharedSecret} = \text{X25519}(\text{YourPrivate}, \text{TheirPublic})$
The other party can compute the same shared secret using their private key and your public key
Both parties now share a secret that no eavesdropper can derive

This shared secret can then be used for multiple different purposes-encrypting data, keying symmetric ciphers, deriving further keys, or any cryptographic operation requiring a shared symmetric key.

Unlike the other three keys in Umbra's architecture, this keypair is not included in the User Commitment Tree-it operates independently to manage visibility of confidential account balances and enable secure communication channels.

Technical Specification

Property	Value
Algorithm	X25519 (Curve25519 ECDH)
Curve	Curve25519 (Montgomery form)
Private Key Size	256 bits (32 bytes)
Public Key Size	256 bits (32 bytes)
Shared Secret Size	256 bits (32 bytes)
Security Level	~128-bit security
On-Chain Registration	Public key registered for incoming encryptions

Mathematical Foundation

X25519 is based on elliptic curve Diffie-Hellman over Curve25519. Given:

Your private key $a$ (a 256-bit scalar)
Their public key $B$ (a point on the curve, encoded as 32 bytes)
The curve's base point $G$

The shared secret is computed as:

\text{SharedSecret} = a \cdot B = a \cdot (b \cdot G) = b \cdot (a \cdot G) = b \cdot A

Where $A$ is your public key and $b$ is their private key. Both parties arrive at the same point on the curve, which is then encoded as the 32-byte shared secret.

Shared Secret Derivation

The core operation of the X25519 keypair is deriving a shared secret with another party's public key:

\text{SharedSecret} = \text{X25519}(\text{YourPrivateKey}, \text{TheirPublicKey})

Properties of the Shared Secret

Property	Guarantee
Mutual Derivation	Both parties compute the identical secret
Eavesdropper Resistance	Cannot be derived from observing public keys alone
Forward Secrecy	If using ephemeral keys, past secrets remain secure even if long-term keys are compromised
Uniformity	Output is indistinguishable from random (after hashing)
Determinism	Same inputs always produce the same shared secret

Key Derivation from Shared Secret

The raw X25519 output should typically be passed through a key derivation function (KDF) before use:

\text{DerivedKey} = \text{KDF}(\text{SharedSecret}, \text{Context})

This ensures proper domain separation and extracts uniform randomness from the shared secret.

Use Cases

The X25519 keypair enables multiple cryptographic operations through shared secret derivation. Each use case involves performing a DH key exchange with a different party's public key.

Use Case 1: Encrypting Data for the MPC

The primary use case in Umbra is encrypting data for the Arcium MPC network. This enables confidential computation where the MPC can process encrypted data without any single node learning the plaintext.

How It Works

Obtain the MXE Public Key: The Umbra program deployed on Solana mainnet has a well-known MXE (MPC Execution Environment) public key. This is an X25519 public key that represents the MPC network's decryption capability.
Derive the Shared Secret: Using your X25519 private key and the MXE public key, derive a shared secret:

\text{SharedSecret}_{\text{MPC}} = \text{X25519}(\text{YourPrivateKey}, \text{MXEPublicKey})

Key the Rescue Cipher: The shared secret is used to select a specific cipher instance from the family of all possible Rescue Ciphers. The Rescue Cipher is specifically designed to be MPC-friendly-its algebraic structure makes it efficient for multi-party computation.

\text{RescueCipherInstance} = \text{RescueCipher}(\text{SharedSecret}_{\text{MPC}})

Encrypt Your Data: Use the keyed Rescue Cipher instance to encrypt your confidential data:

\text{Ciphertext} = \text{RescueCipherInstance}.\text{Encrypt}(\text{Plaintext}, \text{Nonce})

Submit to MPC: The ciphertext can now be submitted to the MPC network. The MPC nodes can collectively decrypt and process the data without any single node learning the plaintext.

Why Rescue Cipher?

The Rescue Cipher is chosen specifically for MPC compatibility:

Property	Benefit for MPC
Algebraic Structure	Operations are native to the finite field, reducing MPC overhead
Low Multiplicative Depth	Fewer rounds of MPC communication required
ZK-Compatible	Can be verified inside zero-knowledge circuits
Nonce-Based	Same plaintext + different nonce = different ciphertext (semantic security)
Field-Native	No bit-level operations that are expensive in MPC

For complete technical details on the Rescue Cipher, see Rescue Cipher.

Encrypted Token Account Balances

A critical application of MPC encryption is Encrypted Token Account (ETA) balances:

Your ETA balance is encrypted using a Rescue Cipher keyed by the shared secret with the MXE
The encrypted balance is stored on-chain (visible to everyone as ciphertext)
Only you (with your X25519 private key) and the MPC network can decrypt it
The MPC can perform operations on your encrypted balance (transfers, etc.) without learning the actual value

Bidirectional MPC Communication

The shared secret enables communication in both directions:

Direction	Process
You to MPC	Encrypt with shared secret, MPC decrypts collectively
MPC to You	MPC encrypts with shared secret, you decrypt with your private key

This is essential for:

Submitting confidential inputs to MPC computations
Receiving confidential computation outputs from the MPC
Querying your encrypted balances

Use Case 2: Encrypting Data for Another User

Beyond MPC communication, the X25519 keypair enables peer-to-peer encrypted communication between users. Any two users with registered X25519 public keys can establish a shared secret and communicate confidentially.

How It Works

Obtain the Recipient's Public Key: The recipient has registered their X25519 public key on-chain. You fetch this public key.
Derive a Shared Secret: Using your X25519 private key and the recipient's public key:

\text{SharedSecret}_{\text{User}} = \text{X25519}(\text{YourPrivateKey}, \text{RecipientPublicKey})

The Recipient Can Derive the Same Secret: Using their private key and your public key:

\text{SharedSecret}_{\text{User}} = \text{X25519}(\text{RecipientPrivateKey}, \text{YourPublicKey})

Both computations produce the identical shared secret.

Encrypt Your Message: Use the shared secret to key a symmetric cipher and encrypt your message:

\text{Ciphertext} = \text{Encrypt}_{\text{SharedSecret}}(\text{Message}, \text{Nonce})

Transmit the Ciphertext: Send the ciphertext to the recipient (on-chain, off-chain, or via any channel).
Recipient Decrypts: The recipient derives the same shared secret and decrypts:

\text{Message} = \text{Decrypt}_{\text{SharedSecret}}(\text{Ciphertext}, \text{Nonce})

Sender encrypts:

Recipient decrypts:

Applications

Application	Description
Private Memos	Attach encrypted messages to transactions that only the recipient can read
Encrypted Metadata	Share confidential transaction details with specific parties
Secure Coordination	Coordinate multi-party transactions without revealing details publicly
Selective Disclosure	Share specific information with auditors or counterparties

Security Considerations for User-to-User Encryption

Consideration	Recommendation
Nonce Reuse	Never reuse a nonce with the same shared secret
Key Rotation	Consider ephemeral keys for forward secrecy
Authentication	The shared secret only provides confidentiality, not authentication-verify the public key belongs to the intended recipient
Public Key Authenticity	Ensure you're using the correct public key (on-chain registration helps)

Use Case 3: Deriving Multiple Keys from One Exchange

A single X25519 key exchange can derive multiple independent keys for different purposes using a key derivation function (KDF):

\text{Key}_1 = \text{KDF}(\text{SharedSecret}, \text{"encryption"})

\text{Key}_2 = \text{KDF}(\text{SharedSecret}, \text{"authentication"})

\text{Key}_3 = \text{KDF}(\text{SharedSecret}, \text{"key-encryption"})

This enables:

Authenticated encryption: Separate keys for encryption and MAC
Key hierarchies: Derive session keys from a master shared secret
Domain separation: Different keys for different protocol contexts

On-Chain Registration

Before others can encrypt data for you, your X25519 public key must be registered on-chain:

What Registration Enables

Capability	Description
Incoming ETA Transfers	Senders can look up your public key and encrypt transfer amounts for you
MPC Results	The MPC network can encrypt computation outputs for you
User-to-User Encryption	Other users can establish shared secrets with you
Protocol Discovery	Applications know which key to use for your encryptions

Registration Process

Generate your X25519 keypair (deterministically from seed or randomly)
Submit a registration transaction with your X25519 public key
The public key is stored in your on-chain account record
Others can now query your public key and encrypt data for you

Key Generation

The X25519 Keypair can be generated using several approaches:

Method	Description	Security Model
Random	Generate from cryptographically secure randomness	Information-theoretic independence
Deterministic	Derive from L1 private key or master seed	Cryptographic independence
DKG	Distributed key generation across multiple parties	Threshold security

Deterministic Derivation

For convenience, the X25519 keypair can be derived from a master seed:

\text{X25519Private} = \text{KDF}(\text{MasterSeed}, \text{"x25519-keypair"})

Pros:

Single backup (master seed) recovers all keys
Simpler key management

Cons:

Master seed compromise = X25519 keypair compromise
Coupled security model

Independent Random Generation

For maximum security isolation:

Pros:

Compromise of other keys doesn't affect X25519 keypair
Information-theoretic independence

Cons:

Must backup X25519 private key separately
More complex key management

Visibility vs. Ownership

Umbra separates visibility (who can see) from ownership (who can control) for Encrypted Token Accounts:

Aspect	Controlled By	Key Type
Ownership	L1 Interaction Key	Ed25519
Visibility	X25519 Keypair	X25519

This separation enables powerful capabilities:

Capability	How It Works
Blind Transfers	L1 key can transfer ETA funds even without X25519 key (you just can't see balances)
View-Only Access	Share X25519 key with auditor-they can see balances but not transfer
Threshold Visibility	Use DKG for X25519 so multiple parties must cooperate to decrypt

Security Considerations

Compromise Impact

If your X25519 private key is compromised:

Impact	Severity
ETA Balance Visibility	Attacker can see all your encrypted balances
Decrypt Messages For You	Attacker can decrypt any data encrypted to your public key
Derive Shared Secrets	Attacker can derive shared secrets with any party
Fund Theft	No direct impact-requires L1 key
Mixer UTXO Spending	No impact-requires Shielded Spending Key

Loss Impact

If you lose your X25519 private key:

Impact	Consequence
Cannot See ETA Balances	Your balances are still there, but you can't decrypt them
Cannot Decrypt Messages	Data encrypted to your public key becomes unreadable
Funds Still Controllable	L1 key can still transfer ETA funds (blind transfers)
Recovery	If derived from master seed, recover by re-deriving

Summary

Aspect	Details
Type	X25519 Keypair (Curve25519 ECDH)
Primary Purpose	Derive shared secrets via Diffie-Hellman key exchange
Use Case 1	Encrypt data for MPC using Rescue Cipher
Use Case 2	Encrypt data for other users (peer-to-peer)
Use Case 3	Derive multiple keys from one exchange
In User Commitment?	No
On-Chain Registration	Public key must be registered
Compromise Impact	Visibility only (no fund theft)
Loss Impact	Cannot decrypt (funds still controllable via L1 Key)

On this page