Domain Privacy

Domain encryption enables controllers to securely store sensitive domain settings using Interchain Identifiers (IIDs), which are fully conformant DIDs specifically designed for digital domains within blockchain namespaces.

Overview

Domain encryption provides:

IID-compliant document structure
Privacy-preserving domain tokenization
Verifiable linked resources
Polymorphic service mediation
Herd privacy protection

Domain Settings Encryption

Domain settings encryption uses pairwise key agreement and authenticated encryption to ensure that sensitive configuration data is only accessible to authorized parties, while maintaining IID compliance.

interface EncryptionKeys {
  keyAgreement: {
    id: string;
    type: "X25519KeyAgreementKey2020";
    privateKeyMultibase: string;
    publicKeyMultibase: string;
  };
  authentication: {
    id: string;
    type: "Ed25519VerificationKey2020";
    privateKeyMultibase: string;
    publicKeyMultibase: string;
  };
}

async function setupEncryptionKeys(
  controller: string
): Promise<EncryptionKeys> {
  // Generate key agreement key pair
  const keyAgreement = await X25519.generateKeyPair();
  
  // Generate authentication key pair
  const authentication = await Ed25519.generateKeyPair();
  
  return {
    keyAgreement: {
      id: `${controller}#key-1`,
      type: "X25519KeyAgreementKey2020",
      privateKeyMultibase: keyAgreement.privateKey,
      publicKeyMultibase: keyAgreement.publicKey
    },
    authentication: {
      id: `${controller}#key-2`,
      type: "Ed25519VerificationKey2020",
      privateKeyMultibase: authentication.privateKey,
      publicKeyMultibase: authentication.publicKey
    }
  };
}

interface EncryptedSettings {
  name: string;
  value: string;
  nonce: string;
  recipient: string;
  timestamp: string;
}

async function encryptDomainSettings(
  controllerKeys: EncryptionKeys,
  recipientDID: string,
  settings: any
): Promise<EncryptedSettings> {
  // Get recipient's key agreement key
  const recipientKey = await resolveKeyAgreementKey(recipientDID);
  
  // Perform ECDH
  const sharedSecret = await X25519.deriveSharedSecret(
    controllerKeys.keyAgreement.privateKeyMultibase,
    recipientKey.publicKeyMultibase
  );
  
  // Derive encryption key
  const encryptionKey = await HKDF(sharedSecret, {
    salt: randomBytes(32),
    info: "ixo-domain-settings-encryption"
  });
  
  // Encrypt settings
  const nonce = randomBytes(12);
  const ciphertext = await AES_GCM.encrypt(
    encryptionKey,
    JSON.stringify(settings),
    nonce,
    { recipient: recipientDID }
  );
  
  return {
    name: "domainSettings",
    value: base64Encode(ciphertext),
    nonce: base64Encode(nonce),
    recipient: recipientDID,
    timestamp: new Date().toISOString()
  };
}

interface EncryptedResource {
  id: string;
  type: string;
  encryptedData: EncryptedSettings[];
  proof: string;
}

async function storeEncryptedSettings(
  iidDoc: IIDDocument,
  settings: EncryptedSettings
): Promise<void> {
  // Create encrypted resource
  const resource: EncryptedResource = {
    id: `${iidDoc.id}#encrypted-settings`,
    type: "EncryptedDomainSettings",
    encryptedData: [settings],
    proof: await generateProof(settings)
  };

  // Store via polymorphic mediator
  await iidDoc.mediator.storeResource(
    resource.id,
    resource,
    {
      encryption: "required",
      access: "restricted"
    }
  );

  // Update hashgraph
  await iidDoc.resourceHashgraph.add({
    id: resource.id,
    type: resource.type,
    proof: resource.proof
  });
}

async function decryptDomainSettings(
  recipientKeys: EncryptionKeys,
  iidDoc: IIDDocument
): Promise<any> {
  // Get encrypted settings resource
  const resource = await iidDoc.mediator.getResource(
    `${iidDoc.id}#encrypted-settings`
  );
  
  // Verify recipient authorization
  if (resource.encryptedData[0].recipient !== recipientKeys.keyAgreement.id) {
    throw new Error("Unauthorized recipient");
  }
  
  // Get controller's key agreement key
  const controllerKey = await resolveKeyAgreementKey(iidDoc.id);
  
  // Perform ECDH
  const sharedSecret = await X25519.deriveSharedSecret(
    recipientKeys.keyAgreement.privateKeyMultibase,
    controllerKey.publicKeyMultibase
  );
  
  // Derive decryption key
  const decryptionKey = await HKDF(sharedSecret, {
    salt: resource.encryptedData[0].salt,
    info: "ixo-domain-settings-encryption"
  });
  
  // Decrypt settings
  const plaintext = await AES_GCM.decrypt(
    decryptionKey,
    base64Decode(resource.encryptedData[0].value),
    base64Decode(resource.encryptedData[0].nonce),
    { recipient: recipientKeys.keyAgreement.id }
  );
  
  return JSON.parse(plaintext);
}

Setup Encryption Keys
- Generate key agreement key pair
- Generate authentication key pair
- Register in IID document
- Secure private keys
Encrypt Settings
- Perform key agreement
- Derive encryption key
- Encrypt with authentication
- Generate proof
Store Encrypted Data
- Create encrypted resource
- Store via mediator
- Update hashgraph
- Maintain privacy
Access Control
- Verify recipient
- Validate authorization
- Check proofs
- Enforce permissions

Security Considerations

Key Management

Regular key rotation
Secure key storage
Authorization validation
Access revocation

Encryption

Authenticated encryption
Fresh nonces
Additional data
Integrity checks

Storage

Off-chain encryption
Mediator security
Proof verification
Backup strategy

Future Proofing

Post-quantum readiness
Protocol upgrades
Version management
Migration support

Prerequisites

IID Knowledge

Interchain Identifier specification
Domain tokenization concepts
Linked resources
Privacy-preserving features

Cryptography

Key agreement methods
Content-derived identifiers
Hashgraph verification
Tor network integration

Domain IID Setup

{
  "@context": [
    "https://www.w3.org/ns/did/v1",
    "https://w3id.org/ixo/ns/interchain-identifiers/v1"
  ],
  "id": "did:ixo:domain123",
  "verificationMethod": [
    {
      "id": "did:ixo:domain123#keys-1",
      "type": "Ed25519VerificationKey2020",
      "controller": "did:ixo:domain123",
      "publicKeyMultibase": "zH3C2AVvLMv6gmMNam3uVAjZpfkcJCwDwnZn6z3wXmqPV"
    }
  ],
  "authentication": ["did:ixo:domain123#keys-1"],
  "service": [{
    "id": "did:ixo:domain123#mediator",
    "type": "polymorphicMediator2021",
    "serviceEndpoint": "http://mediator.onion/iid/mediator/did:ixo:domain123"
  }],
  "linkedResource": [{
    "id": "did:ixo:domain123#resourceHashgraph",
    "path": "did:ixo:domain123/resourceHashgraph",
    "type": "hashgraph",
    "proof": "afybeiemxf5abjwjbikoz4mcb3a3dla6ual3jsgpdr4cjr3oz",
    "endpoint": "did:ixo:domain123?service=mediator"
  }]
}

interface DomainProperties {
  // Tokenization properties
  tokenType: string;
  tokenClass: string;
  
  // Linked resources
  resources: LinkedResource[];
  
  // Rights and capabilities
  accordedRights: Right[];
  capabilities: Capability[];
  
  // Entity relationships
  linkedEntities: EntityLink[];
  
  // Blockchain accounts
  accounts: BlockchainAccount[];
}

interface LinkedResource {
  id: string;
  path: string;
  type: string;
  proof: string;
  endpoint: string;
}

Privacy-Preserving Features

Polymorphic Mediation
- Single service endpoint
- Tor network integration
- Blind request routing
- Service negotiation
Resource Hashgraph
- Content-derived identifiers
- Verifiable resource linking
- Private resource count
- Proof verification
Herd Privacy
- Standardized document structure
- Common service patterns
- Minimal correlation data
- Population-based obscurity
Secure Storage
- Off-chain encryption
- Content addressing
- Distributed storage
- Access control

Implementation Guide

Domain Capabilities

Asset Identification

Unique digital asset typing
Token class specification
Verifiable identifiers
Namespace registration

Resource Linking

On-chain/off-chain resources
Verifiable content addressing
Private resource metadata
Proof verification

Rights Management

Machine-executable rights
Capability delegation
Service invocation
Access control

Entity Relationships

Spatial Web integration
Graph relationships
Edge definitions
Node connections

Security Considerations

Best Practices

IID Compliance

Follow IID specification
Implement privacy features
Use content addressing
Enable service mediation

Resource Management

Content-derived identifiers
Hashgraph implementation
Private metadata
Proof generation

Privacy

Minimize correlation
Use Tor endpoints
Implement mediation
Protect metadata

Integration

Spatial Web compatibility
Cross-chain interoperability
Standard representations
Proper verification

Developer Resources

IID Specification

Interchain Identifiers specification

Implementation Guide

IID implementation details

Privacy Guide

Privacy-preserving features

Resource Guide

Resource management

For technical support or questions about domain encryption and IIDs, join our Developer Community or contact our Developer Relations Team.

Get Started

Guides

Platforms

Developers

Articles

Overview

Domain Settings Encryption

Security Considerations

Key Management

Encryption

Storage

Future Proofing

Prerequisites

IID Knowledge

Cryptography

Domain IID Setup

Privacy-Preserving Features

Implementation Guide

Domain Capabilities

Asset Identification

Resource Linking

Rights Management

Entity Relationships

Security Considerations

Best Practices

IID Compliance

Resource Management

Privacy

Integration

Developer Resources

IID Specification

Implementation Guide

Privacy Guide

Resource Guide

Get Started

Guides

Platforms

Developers

Articles

​Overview

​Domain Settings Encryption

​Security Considerations

Key Management

Encryption

Storage

Future Proofing

​Prerequisites

IID Knowledge

Cryptography

​Domain IID Setup

​Privacy-Preserving Features

​Implementation Guide

​Domain Capabilities

Asset Identification

Resource Linking

Rights Management

Entity Relationships

​Security Considerations

​Best Practices

IID Compliance

Resource Management

Privacy

Integration

​Developer Resources

IID Specification

Implementation Guide

Privacy Guide

Resource Guide

Overview

Domain Settings Encryption

Security Considerations

Prerequisites

Domain IID Setup

Privacy-Preserving Features

Implementation Guide

Domain Capabilities

Security Considerations

Best Practices

Developer Resources