REF manages four distinct key types across its protocol layers. No single key compromise breaks the whole system — each key type has a bounded blast radius, a defined lifecycle, and an explicit degradation mode.
Key management is where cryptographic theory meets operational reality. For each key type, we state not just what it does, but what happens when it's compromised — because rigorous engineering means modeling failure, not just success.
The merchant's identity in the REF protocol. This key signs purchase attestations — it proves who attested that a purchase occurred.
A := SignEd25519(skmerchant, Hext(purchase))
An attacker with the merchant's signing key can fabricate attestations for purchases that never occurred (phantom attestation — ATK-3). The economic layer makes this irrational: merchant performance deposits ($10K/$25K/$50K+ by tier) exceed the value of fabricated reviews. But it is not cryptographically prevented — it is economically deterred.
Validators use these keys to sign PBFT consensus messages. A quorum certificate (QC) is proof that ≥ ⌈2c/3⌉ validators agreed on a token's validity.
A single compromised validator key is tolerated — PBFT requires > f = ⌊c/3⌋ Byzantine validators to violate safety. Compromising one key gains the attacker one vote, not control. VRF-based committee selection ensures the adversary cannot predict which validators will be on any given committee.
These are not signing keys — they are the Structured Reference String (SRS) from a trusted setup ceremony. The proving key enables proof generation; the verification key enables proof checking. Neither is a secret in the traditional sense.
ref_token_v1_1.circom · 1,155 constraints ·
EV-011 v2.1 (commit 3c3017b)
If the Powers-of-Tau toxic waste is recovered, an adversary can forge proofs for any statement — meaning they could fabricate purchase proofs without real purchases. This is a catastrophic failure mode with no detection at the protocol level.
Mitigation: (a) Hermez ceremony had 1,088 contributors — security requires only one honest participant; (b) Phase 2 roadmap evaluates PLONKish universal-setup systems (PLONK, Halo2) that eliminate per-circuit trust entirely; (c) REF's Phase 2 circuit-specific setup lacks independent audit trail — acknowledged gap, budgeted for external attestation.
Ephemeral keys for TLS 1.3 sessions. These protect data confidentiality in transit — but none of REF's core security properties depend on them. If every transport key were compromised, the protocol's authenticity, uniqueness, and integrity guarantees would still hold.
Transport keys protect confidentiality of data in motion. But REF's security properties — authenticity (P-AUTH), uniqueness (P-UNIQ), integrity (P-INTEG), privacy (P-PRIV) — are all enforced by the layers above. Even if TLS were stripped entirely, the ZK proofs, signatures, and consensus certificates would still be valid and unforgeable.
Defense in depth means every key type has a bounded blast radius. No single key compromise cascades across layers.
| Key Compromised | Impact | Blast Radius | Mitigation |
|---|---|---|---|
| Merchant sk | Phantom attestations for that merchant | Single merchant | Economic deterrence (bonds). Platform cross-validation. Key rotation. |
| Validator sk | One Byzantine vote per compromised key | 1/c of committee | BFT tolerance (f < c/3). VRF unpredictability. Slashing on equivocation. |
| ZK toxic waste | Arbitrary proof forgery — any statement | Entire protocol | 1,088-contributor ceremony. PLONKish migration roadmap. No detection possible. |
| Transport sk | Session eavesdropping (single connection) | One session | PFS — past sessions safe. Ephemeral keys — no persistence. Protocol integrity unaffected. |
The two most operationally likely compromises (merchant key, transport key) have the smallest blast radii. The compromise with the largest blast radius (ZK toxic waste) requires breaking a 1,088-participant MPC ceremony — a fundamentally different class of difficulty. This is by design, not by accident.