Cardano keys

Keys are asymmetric cryptography key pairs used for:

  • Signing and validating payments and staking certificates
  • Identifying and defining addresses on the Cardano blockchain

This schematic illustrates the relationship between keys, addresses, and certificates:


Types of keys

In Cardano, there are two main key types:

  • Node keys
  • Address keys

Node keys

Node keys represent the security of the blockchain and consist of the following keys

  • Operator/operational key
  • KES key pair
  • VRF keys

Operator/operational key

These are operators’ offline key pairs that include a certificate counter for new certificates.

It is the responsibility of the operator to manage both the hot (online), and cold (offline) keys for the pool. Cold keys must be secure and should not reside on a device with internet connectivity. It is recommended to keep multiple backups of cold keys.

KES key pair

To create an operational certificate for a block-producing node, you need a Key Evolving Signature (KES) key pair, which authenticates who you are.

A KES key can only evolve for a certain number of periods and becomes useless afterwards. This is useful, because even if an attacker compromises the key and gets access to the signing key, he can only use that to sign blocks from now on, but not blocks dating from earlier periods, making it impossible for the attacker to rewrite history.

After the set number of periods has passed, the node operator must generate a new KES key pair, issue a new operational node certificate with that new key pair, and restart the node with the new certificate.

VRF keys

Ouroboros Praos adds an extra layer of security to block production via Verifiable Random Function (VRF) keys.

In other proof-of-stake blockchain protocols (Ouroboros Classic or BFT, for instance), we know who has the right to make the block in each slot, because the slot leader schedule is public. In this case, you only have to prove that you are who you say you are, and everyone can check the public slot leader schedule to verify it.

However, Ouroboros Praos's slot leader schedule is kept private, which means that nobody knows in advance who is going to be the slot leader, but once someone is, they can prove to everyone else that they are using the VRF key.

The VRF key is a signing verification key stored within the operational certificate. It proves that a node has the right to create a block in a given slot.

Address keys

Address keys represent the functions of the addresses derived from the keys for identifying funds on the blockchain that consist of the following keys:

  • Payment key: single address key pair usually used for generating UTXO addresses
  • Staking key: stake/reward address key pair usually used for generating account/reward addresses.

Further reading

© IOHK 2015 - 2022

Cardano Logo

Cardano is an open-source project.

Cardano is a software platform ONLY and does not conduct any independent diligence on, or substantive review of, any blockchain asset, digital currency, cryptocurrency or associated funds. You are fully and solely responsible for evaluating your investments, for determining whether you will exchange blockchain assets based on your own judgement, and for all your decisions as to whether to exchange blockchain assets with Cardano. In many cases, blockchain assets you exchange on the basis of your research may not increase in value, and may decrease in value. Similarly, blockchain assets you exchange on the basis of your research may fall or rise in value after your exchange.

Past performance is not indicative of future results. Any investment in blockchain assets involves the risk of loss of part or all of your investment. The value of the blockchain assets you exchange is subject to market and other investment risks