--- title: "Cryptographic Primitives" description: " " url: https://instituteofprovenance.org/docs/cryptographic-primitives source: Institute of Provenance --- # Cryptographic Primitives The XION specification mandates a specific set of cryptographic algorithms. This constrained choice ensures interoperability — every compliant implementation uses the same primitives, eliminating negotiation complexity and reducing the attack surface. ## Algorithm Summary | Primitive | Algorithm | Purpose | |-----------|-----------|---------| | Digital Signatures | Ed25519 | Content signing, certificate signing | | Content Hashing | BLAKE3 | Content integrity, canonicalized content digests | | Key Identifier | SHA-256 (truncated) | Compact public key identification | | Certificate Format | X.509 v3 | Certificate wrapping and chain encoding | | State Verification | Sparse Merkle Trees | Certificate revocation proofs, epoch state | ## Ed25519 Ed25519 is the sole signature algorithm in XION v1. It provides: - **128-bit security level** — Equivalent to RSA-3072 with much smaller keys - **32-byte public keys, 64-byte signatures** — Compact for embedding in trust blocks and certificates - **Deterministic signatures** — The same message and key always produce the same signature, eliminating a class of implementation bugs related to random number generation - **Fast verification** — Critical for content trust where verification happens far more often than signing Ed25519 operates on the edwards25519 curve as specified in RFC 8032. ## BLAKE3 BLAKE3 is the mandated content hashing algorithm. It was chosen over SHA-256 for: - **Performance** — 3–4x faster than SHA-256 on modern hardware, with SIMD acceleration - **Security margin** — Based on the BLAKE2/ChaCha family with a generous security margin - **256-bit output** — Sufficient for collision resistance at the 128-bit security level - **Tree hashing** — BLAKE3's internal Merkle tree structure enables incremental and parallel hashing, useful for large content All content hashes in XION are BLAKE3-256, hex-encoded as 64 lowercase characters. ## SHA-256 (Key Identifier) SHA-256 is used only for deriving compact key identifiers (`key_id` field in the trust block). The first 8 bytes of SHA-256(public_key_bytes) are base64url-encoded to produce an 11-character identifier. SHA-256 is not used for content hashing. Its role is limited to key identification, where the truncated output provides sufficient collision resistance for lookup purposes. ## X.509 v3 Certificates are encoded as X.509 v3 structures, PEM-encoded in the trust block's `x509_chain_pem` field. X.509 was chosen for: - **Mature tooling** — Every programming language has X.509 parsing libraries - **Extensibility** — Custom extensions encode XION-specific metadata (signer identity, scope, orbital identifier) - **Interoperability** — Organizations with existing PKI infrastructure can integrate XION certificate management into their workflows All certificates use Ed25519 keys. RSA and ECDSA keys are not permitted in the XION certificate hierarchy. ## Sparse Merkle Trees Sparse Merkle Trees (SMTs) provide cryptographic proofs of set membership and non-membership. In XION, they are used to maintain verifiable certificate revocation state. An SMT is a binary Merkle tree where: - The key space is 2^256 (every possible 256-bit key has a position) - Most positions are empty (sparse) - Inclusion proofs demonstrate that a key IS in the set (O(log n) sibling hashes) - Exclusion proofs demonstrate that a key is NOT in the set (also O(log n) sibling hashes) This enables trustless revocation checking: a verifier can confirm that a certificate has or has not been revoked without trusting the server that provided the proof. The proof is validated mathematically against the published tree root. ### Epochs The SMT root is advanced in epochs. Each epoch represents a state transition (certificates added to or removed from the revoked set). The epoch number and corresponding tree root are signed by the Orbital and included in Proof records.