Keys are asymmetric cryptography key pairs used for:
- Signing and validating payments and staking certificates
- Identifying and defining addresses on the Cardano blockchain
This schematic illustrates the relationship between keys, addresses, and certificates:
Types of keys
In Cardano, there are two main key types:
- Node keys
- Address keys
Node keys represent the security of the blockchain and consist of the following keys
- Operator/operational key
- KES key pair
- VRF keys
These are operators’ offline key pairs that include a certificate counter for new certificates.
It is the responsibility of the operator to manage both the hot (online), and cold (offline) keys for the pool. Cold keys must be secure and should not reside on a device with internet connectivity. It is recommended to keep multiple backups of cold keys.
KES key pair
To create an operational certificate for a block-producing node, you need a Key Evolving Signature (KES) key pair, which authenticates who you are.
A KES key can only evolve for a certain number of periods and becomes useless afterwards. This is useful, because even if an attacker compromises the key and gets access to the signing key, he can only use that to sign blocks from now on, but not blocks dating from earlier periods, making it impossible for the attacker to rewrite history.
After the set number of periods has passed, the node operator must generate a new KES key pair, issue a new operational node certificate with that new key pair, and restart the node with the new certificate.
Ouroboros Praos adds an extra layer of security to block production via Verifiable Random Function (VRF) keys.
In other proof-of-stake blockchain protocols (Ouroboros Classic or BFT, for instance), we know who has the right to make the block in each slot, because the slot leader schedule is public. In this case, you only have to prove that you are who you say you are, and everyone can check the public slot leader schedule to verify it.
However, Ouroboros Praos's slot leader schedule is kept private, which means that nobody knows in advance who is going to be the slot leader, but once someone is, they can prove to everyone else that they are using the VRF key.
The VRF key is a signing verification key stored within the operational certificate. It proves that a node has the right to create a block in a given slot.
Address keys represent the functions of the addresses derived from the keys for identifying funds on the blockchain that consist of the following keys:
- Payment key: single address key pair usually used for generating UTXO addresses
- Staking key: stake/reward address key pair usually used for generating account/reward addresses.