Domain encryption enables controllers to securely store sensitive settings for Digital Entities using Interchain Identifiers (IIDs). IIDs are fully conformant DIDs specifically designed for Digital Entity domains within blockchain namespaces, extending the W3C DID standard with cross-chain resolution and Interchain ecosystem features while maintaining complete DID specification compatibility.
Overview Domain encryption provides privacy features for Digital Twins through:
IID-compliant document structure (following W3C DID standards with IXO extensions)
Privacy-preserving domain tokenization
Verifiable linked resources
Polymorphic service mediation
Herd privacy protection
Domain Settings Encryption Domain settings encryption uses pairwise key agreement and authenticated encryption to ensure that sensitive configuration data is only accessible to authorized parties, while maintaining IID compliance.
interface EncryptionKeys { keyAgreement : { id : string ; type : "X25519KeyAgreementKey2020" ; privateKeyMultibase : string ; publicKeyMultibase : string ; }; authentication : { id : string ; type : "Ed25519VerificationKey2020" ; privateKeyMultibase : string ; publicKeyMultibase : string ; }; } async function setupEncryptionKeys ( controller : string ) : Promise < EncryptionKeys > { // Generate key agreement key pair const keyAgreement = await X25519 . generateKeyPair (); // Generate authentication key pair const authentication = await Ed25519 . generateKeyPair (); return { keyAgreement: { id: ` ${ controller } #key-1` , type: "X25519KeyAgreementKey2020" , privateKeyMultibase: keyAgreement . privateKey , publicKeyMultibase: keyAgreement . publicKey }, authentication: { id: ` ${ controller } #key-2` , type: "Ed25519VerificationKey2020" , privateKeyMultibase: authentication . privateKey , publicKeyMultibase: authentication . publicKey } }; }
interface EncryptedSettings { name : string ; value : string ; nonce : string ; recipient : string ; timestamp : string ; } async function encryptDomainSettings ( controllerKeys : EncryptionKeys , recipientDID : string , settings : any ) : Promise < EncryptedSettings > { // Get recipient's key agreement key const recipientKey = await resolveKeyAgreementKey ( recipientDID ); // Perform ECDH const sharedSecret = await X25519 . deriveSharedSecret ( controllerKeys . keyAgreement . privateKeyMultibase , recipientKey . publicKeyMultibase ); // Derive encryption key const encryptionKey = await HKDF ( sharedSecret , { salt: randomBytes ( 32 ), info: "ixo-domain-settings-encryption" }); // Encrypt settings const nonce = randomBytes ( 12 ); const ciphertext = await AES_GCM . encrypt ( encryptionKey , JSON . stringify ( settings ), nonce , { recipient: recipientDID } ); return { name: "domainSettings" , value: base64Encode ( ciphertext ), nonce: base64Encode ( nonce ), recipient: recipientDID , timestamp: new Date (). toISOString () }; }
interface EncryptedResource { id : string ; type : string ; encryptedData : EncryptedSettings []; proof : string ; } async function storeEncryptedSettings ( iidDoc : IIDDocument , settings : EncryptedSettings ) : Promise < void > { // Create encrypted resource const resource : EncryptedResource = { id: ` ${ iidDoc . id } #encrypted-settings` , type: "EncryptedDomainSettings" , encryptedData: [ settings ], proof: await generateProof ( settings ) }; // Store via polymorphic mediator await iidDoc . mediator . storeResource ( resource . id , resource , { encryption: "required" , access: "restricted" } ); // Update hashgraph await iidDoc . resourceHashgraph . add ({ id: resource . id , type: resource . type , proof: resource . proof }); }
async function decryptDomainSettings ( recipientKeys : EncryptionKeys , iidDoc : IIDDocument ) : Promise < any > { // Get encrypted settings resource const resource = await iidDoc . mediator . getResource ( ` ${ iidDoc . id } #encrypted-settings` ); // Verify recipient authorization if ( resource . encryptedData [ 0 ]. recipient !== recipientKeys . keyAgreement . id ) { throw new Error ( "Unauthorized recipient" ); } // Get controller's key agreement key const controllerKey = await resolveKeyAgreementKey ( iidDoc . id ); // Perform ECDH const sharedSecret = await X25519 . deriveSharedSecret ( recipientKeys . keyAgreement . privateKeyMultibase , controllerKey . publicKeyMultibase ); // Derive decryption key const decryptionKey = await HKDF ( sharedSecret , { salt: resource . encryptedData [ 0 ]. salt , info: "ixo-domain-settings-encryption" }); // Decrypt settings const plaintext = await AES_GCM . decrypt ( decryptionKey , base64Decode ( resource . encryptedData [ 0 ]. value ), base64Decode ( resource . encryptedData [ 0 ]. nonce ), { recipient: recipientKeys . keyAgreement . id } ); return JSON . parse ( plaintext ); }
Setup Encryption Keys
Generate key agreement key pair
Generate authentication key pair
Register in IID document
Secure private keys
Encrypt Settings
Perform key agreement
Derive encryption key
Encrypt with authentication
Generate proof
Store Encrypted Data
Create encrypted resource
Store via mediator
Update hashgraph
Maintain privacy
Access Control
Verify recipient
Validate authorization
Check proofs
Enforce permissions
Security Considerations
Key Management
Regular key rotation
Secure key storage
Authorization validation
Access revocation
Encryption
Authenticated encryption
Fresh nonces
Additional data
Integrity checks
Storage
Off-chain encryption
Mediator security
Proof verification
Backup strategy
Future Proofing
Post-quantum readiness
Protocol upgrades
Version management
Migration support
Prerequisites
IID Knowledge
Interchain Identifier specification
Domain tokenization concepts
Linked resources
Privacy-preserving features
Cryptography
Key agreement methods
Content-derived identifiers
Hashgraph verification
Tor network integration
Domain IID Setup
{ "@context" : [ "https://www.w3.org/ns/did/v1" , "https://w3id.org/ixo/ns/interchain-identifiers/v1" ], "id" : "did:ixo:domain123" , "verificationMethod" : [ { "id" : "did:ixo:domain123#keys-1" , "type" : "Ed25519VerificationKey2020" , "controller" : "did:ixo:domain123" , "publicKeyMultibase" : "zH3C2AVvLMv6gmMNam3uVAjZpfkcJCwDwnZn6z3wXmqPV" } ], "authentication" : [ "did:ixo:domain123#keys-1" ], "service" : [{ "id" : "did:ixo:domain123#mediator" , "type" : "polymorphicMediator2021" , "serviceEndpoint" : "http://mediator.onion/iid/mediator/did:ixo:domain123" }], "linkedResource" : [{ "id" : "did:ixo:domain123#resourceHashgraph" , "path" : "did:ixo:domain123/resourceHashgraph" , "type" : "hashgraph" , "proof" : "afybeiemxf5abjwjbikoz4mcb3a3dla6ual3jsgpdr4cjr3oz" , "endpoint" : "did:ixo:domain123?service=mediator" }] }
interface DomainProperties { // Tokenization properties tokenType : string ; tokenClass : string ; // Linked resources resources : LinkedResource []; // Rights and capabilities accordedRights : Right []; capabilities : Capability []; // Entity relationships linkedEntities : EntityLink []; // Blockchain accounts accounts : BlockchainAccount []; } interface LinkedResource { id : string ; path : string ; type : string ; proof : string ; endpoint : string ; } Privacy-Preserving Features
Polymorphic Mediation
Single service endpoint
Tor network integration
Blind request routing
Service negotiation
Resource Hashgraph
Content-derived identifiers
Verifiable resource linking
Private resource count
Proof verification
Herd Privacy
Standardized document structure
Common service patterns
Minimal correlation data
Population-based obscurity
Secure Storage
Off-chain encryption
Content addressing
Distributed storage
Access control
Implementation Guide Domain Setup
Resource Management
Privacy Features
import { IIDDocument , LinkedResource } from '@ixo/iid-sdk' ; async function createPrivateDomain ( controller : string , properties : DomainProperties ) : Promise < IIDDocument > { // Create hashgraph for domain resources const resourceHashgraph = await createResourceHashgraph ( properties . resources ); // Setup polymorphic mediator const mediator = await setupPolymorphicMediator ( controller ); // Create IID document const iidDoc = await IIDDocument . create ({ controller , mediator , resourceHashgraph , properties }); return iidDoc ; }
Domain Capabilities
Asset Identification
Unique digital asset typing
Token class specification
Verifiable identifiers
Namespace registration
Resource Linking
On-chain/off-chain resources
Verifiable content addressing
Private resource metadata
Proof verification
Rights Management
Machine-executable rights
Capability delegation
Service invocation
Access control
Entity Relationships
Spatial Web integration
Graph relationships
Edge definitions
Node connections
Security Considerations
Single service endpoint
Tor network routing
Polymorphic mediation
Population-based privacy
Content-derived addressing
Hashgraph verification
Proof validation
Secure storage
Capability-based security
Delegated rights
Service authorization
Resource permissions
Best Practices
IID Compliance
Follow IID specification
Implement privacy features
Use content addressing
Enable service mediation
Resource Management
Content-derived identifiers
Hashgraph implementation
Private metadata
Proof generation
Privacy
Minimize correlation
Use Tor endpoints
Implement mediation
Protect metadata
Integration
Spatial Web compatibility
Cross-chain interoperability
Standard representations
Proper verification
Developer Resources Next Steps 
