vetKeys BLS12-381 G2 transport_public_key

Guys I would appreciate some help. I have wasted days trying everything to implement the .wasm thing for the vetkd to create transport key to pass to rust canister for encrypted generation. I am in creactjs with craco.

I have ended up opting for another library
import * as bls from ‘@noble/bls12-381’;

// 1. Generate ephemeral transport key pair (BLS12-381 G2)
let transportSeed = window.crypto.getRandomValues(new Uint8Array(32));
// Expand to 40 bytes as required by hashToPrivateKey
let transportSeed40 = new Uint8Array(40);
transportSeed40.set(transportSeed);
transportSeed40.set(window.crypto.getRandomValues(new Uint8Array(8)), 32);
const transportPrivKey = bls.utils.hashToPrivateKey(transportSeed40);
// Use compressed (96 bytes) format as required by DFINITY VetKD
const transportPubKeyBytes = bls.PointG2.fromPrivateKey(transportPrivKey).toRawBytes(true); // compressed (96 bytes)

  // 2. Call backend get_encrypted_key_for_session
  setStatusMessage('Requesting encrypted key from backend (authenticated)...');
  const getEncryptedKeyResult = await actorInstance.get_encrypted_key_for_session(
    BigInt(sessionId), 
    Array.from(transportPubKeyBytes), 
  );

I keep getting Canister called ic0.trap with message: invalid encryption public key.\nConsider gracefully handling failures from this canister or altering the canister to handle exceptions.

Can someone confirm the exact specification of the expected encryption_public_key in
let args = VetkdDeriveEncryptedKeyArgs {
key_id: VetkdDeriveEncryptedKeyArgsKeyId {
name: “test_key_1”.to_string(),
curve: VetkdCurve::Bls12381G2,
},
derivation_path: vec!,
derivation_id: ByteBuf::from(session.hashed_login.as_bytes().to_vec()),
encryption_public_key: ByteBuf::from(transport_public_key),
};

PLEASE, it would be of great help to solve it.

When I try the WASM solution i get ERROR in ./node_modules/ic-vetkd-utils/ic_vetkd_utils.js 5:0-21

Can’t import the named export ‘__wbindgen_start’ (imported as ‘wasm’) from default-exporting module (only default export is available)

I follow exactly the guide in ic/packages/ic-vetkd-utils to build the webpack and add in package and npm install --save

then i try to import in a .js file and nothing. comes with that error. i have tried replace the code in. the utils to avoid __wbindgen_start, i have also tried the await vetkd( .wasm path). Nothing has worked.

or Error during authentication: wasm.__wbindgen_add_to_stack_pointer is not a function when i download the ready and used in examples/rust/vetkd/ic-vetkd-utils-0.1.0.tgz at master · dfinity/examples · GitHub

I have wasted days trying everything to implement the .wasm thing for the vetkd to create transport key to pass to rust canister for encrypted generation.

Sorry about that, the wasm module didn’t work out quite as nicely as we had hoped. There is a new TypeScript library for the required frontend operations in vetkd-devkit/frontend/ic_vetkeys at main · dfinity/vetkd-devkit · GitHub that you may want to look at.

const transportPubKeyBytes = bls.PointG2.fromPrivateKey(transportPrivKey).toRawBytes(true);

This is the cause of the rejection - the transport public key should be in the G1 group. I can see how you were misled by the G2 notation here in the key id - that is signifying that the key itself that is used to generate the VetKey is in the G2 group.

Thank you for this. I use the new library you provided me.

I create the transport key TransportSecretKey.random() for the key and tsk.publicKeyBytes() for the transport public.

dpk i get from the same canister as the one that returns me the vetKey

decryptedVetKey = new EncryptedVetKey(new Uint8Array(encrypted_key)).decryptAndVerify(tsk, dpk, derivationIdBytes);

const decryptedPrivate = decryptedVetKey.deriveSymmetricKey(‘some-salt’,32);

Am I using this correct? Is it secure to use a returned vetKey with deriveSymmetricKey for user logins or wallets? Are returned vetKeys truly secure?

Thanks in advance.

Am I using this correct?

Yes at least from the snippet posted here this looks like correct usage.

Is it secure to use a returned vetKey with deriveSymmetricKey for user logins or wallets? Are returned vetKeys truly secure?

It really is! The vetkey is created by a threshold protocol which ensures that protocol proceeds correctly even if one or more of the nodes is malicious. As long as your transport secret key is randomly generated (here we are trusting the browser to do the right thing), nobody else can knows the vetkey value.

Note this assumes that the canister is performing some kind of authorization checks on the relevant vetkd_derive_key calls! If your canister for example allows any vetkey requests to come in and just sends the response, then of course anyone else can ask the canister for the same key, and they’ll get it.

Thanks for the reply. I have now tested everything locally. Consistent and nicely producing the results I expect and yes to your comment of course there is an authorisation to return the key specifically to the authorised requester and for a certain time etc.

I now look to take this to main network. Reading docs I understand this is not in main IC yet? Is it only available with testing key? Do we have expected date for live key?

Or is it live already and docs are not updated yet? Can I derive vet keys safely on mainnet already?

Screenshot 2025-05-31 at 10.37.481308×484 44.4 KB