Human Keys – How They Work and Why They’re the Future of Secure Digital Identity
The Need for a New Approach to Key Management
In Part 1, we explored key management, the challenges of securing private keys, and how Holonym’s Mishti Network, enables protected self custody of wallets without leaning in on any centralized mechanism, thereby abstracting key management and simplifying authentication. Human Keys combines the security of Public Key Infrastructure with the familiarity of everyday inputs like passwords and biometrics for private key generation.
Building on that foundation, this part delves deeper into the mechanics of Human Keys—how they work, how they are set up, and why they represent the best option for secure digital digital interactions and identity management.
Human Keys redefines digital access, as highlighted in a recent media feature:
“Human Keys, on the other hand, takes a less intrusive, user-first approach. Instead of requiring specific biometric scans, the system works with various forms of human-verified data, giving users more autonomy. Such flexibility makes Human Keys more adaptable to different cultural and personal preferences regarding privacy”
What Are Human Keys?
Human Keys are a novel concept introduced by Holonym Foundation that allow users to generate secure private keys using familiar, human-friendly inputs. Unlike traditional private keys, which are typically generated from random seed phrases, Human Keys derive their security from inputs that users already know and use regularly, such as passwords, email addresses, or biometric data.
What is identity can differ from individuals. Human Keys takes a plural approach.
- What you are – ex. Biometrics
- What you have – ex. ePassports
- What you know - ex. Passwords, web accounts
The key innovation behind Human Keys is their ability to transform these low-entropy inputs into high-entropy private keys that are resistant to brute force attacks. This is achieved through an advanced cryptographic techniques threshold Verifiable Oblivious Pseudorandom Function (tVOPRF) used in Holonym’s Mishti Network. This approach makes key management more intuitive for users while maintaining the high level of security required for interaction and self custody of digital assets and identities.
Entropy Secures Private Keys
Entropy is a measure of randomness or unpredictability in a system. In cryptography, high entropy is crucial for generating strong private keys that are resistant to guessing or brute-force attacks. The security of private keys directly correlates with their entropy level.
While familiar authentication methods like passwords, security questions, and biometrics are user-friendly, they often suffer from low entropy. Passwords have predictable patterns on personal information, security questions can be socially engineered, and contrary to the popular belief biometrics like face and palm scans have lower entropy than commonly thought.
Modern technologies, including machine learning and quantum computing, can potentially crack these low-entropy systems. The misconception of biometrics as high-entropy is particularly dangerous, as they can be compromised.
How Human Keys Work: The Technical Backbone
At the core of Human Keys is the idea that secure private keys can be generated from inputs that are easy for users to remember and manage. However, because these inputs—such as passwords—typically have low entropy, they need to be transformed into something much more secure. Here’s how this process works:
- Input Collection: The user provides a familiar input, such as a password or biometric data, which is easy to recall for seamless authentication, reducing the risk of losing access. If the input is forgotten, it can be securely recovered in a trustless setup without relying on centralized authorities.
- tVOPRF Transformation: The provided input becomes the seed for generating a high-entropy private key by running a threshold Verifiable Oblivious Pseudorandom Function (tVOPRF).
Key Components:
- Pseudorandom Function enables the creation of high-entropy keys from low-entropy inputs deterministically, i.e. the same input will always produce the same output in a predictable, consistent manner.
- The "oblivious" part means that the network processing the data can't see or learn the user's input.
- The threshold mechanism ensures that no single node has control over key generation, making it distributed.
- This process is one-way; the original input can't be derived from the output, given the huge randomness
- Honest contribution of nodes are verifiable through zero knowledge proofs, ensuring integrity of the network
Privacy Consideration during Key Generation:
- The user's data is masked before being sent to the network, ensuring that no node can see the actual input.
- The network performs computations on this masked data.
Why Mishti as an Actively Validated Service
EigenLayer expands the capital efficiency of ETH by using staked ETH to provide economic security for services built on top of it. Currently, with 3.64 million ETH and 70 million EIGEN restaked (totaling $9.1 billion), EigenLayer’s economic security makes it an ideal foundation for Mishti, particularly as Human Keys address the critical issue of private key management.
Given that Personally Identifiable Information (PII) is used in creating Human Keys, Mishti leverages EigenLayer's continuous validation and anti-collusion design. This ensures a secure environment for processing sensitive data, with no single node having access to all the information.
EigenLayer’s dual-token system supports on-chain verifiability for objective problems and community-driven resolution for subjective issues. This, combined with decentralized governance, the reputation of EigenLayer operators, and alignment with Ethereum’s ethos, makes EigenLayer a strong fit for Mishti.
Setting Up and Using Human Keys
The easiest explanation is that it has the same steps as using google with Oauth.
Step by step explanation here:
For example, a user could sign up via Silk, Holonym’s onboarding wallet, which uses the Mishti Network for key derivation and recovery:
- The user signs up with a web account (e.g., Google). A JWT (a token containing user-specific claims like identity, issuer, and audience) is issued, masked using ZK , and processed privately via vOPRF to generate secure keys.
- The ZK-masked JWT ensures that even if malicious nodes intercept it, they cannot use the JWT for unauthorized operations or double-spending.
- The generated private key is split into two shares, one held by the user and the other by Silk’s server or network for a collaborative signing process – More on 2PC here.
- During sign-in, the user authenticates with their web account to retrieve their encrypted keyshare, which is decrypted using the masked JWT and OPRF.
- This seamless re-derivation of keys enables key recovery on any device, eliminating dependency on a single device and mitigating associated security risks.
Why Human Keys are secure
When it comes to security, Human Keys offer several key advantages over traditional methods:
- High Entropy and Resistance to Attacks: Despite being generated from low-entropy inputs, Human Keys are highly secure due to the tVOPRF transformation. This ensures that the resulting private key has a high level of randomness, making it resistant to brute force attacks.
- Decentralized: The OPRF on Mishti computes on sign up and every subsequent sign in for deriving the key. Given the high stakes, the network is deployed as an AVS on Eigen Layer, and Mishti has successfully onboarded several operators, and others in the pipeline to secure Human Keys.
- Zero-Knowledge Proofs for Privacy and anti collusion: Nodes provide ZKPs on their computation for integrity, and users send their masked input in a ZKP to derive keys on the network for privacy.
- User Controlled MPC: The private key generated on Mishti is shared with the user and a network through Ika’s 2PC-MPC (Two-Party Computation Multi-Party Computation). This ensures user sovereignty for all transactions, and protection from the network by designing transaction logic and policy engines to combat any single point of failure.
Comparison with Other Key Management Solutions
To highlight the advantages of Human Keys, it’s useful to compare them with other key management solutions:
Human Keys secures your Digital Identity
As the digital world becomes increasingly decentralized, the need for secure, user-friendly key management solutions will continue to grow. Human Keys represent a significant step forward in this evolution, offering a solution that is both secure and accessible.
Human Keys makes onboarding seedless and human friendly. Create your Human Keys on Silk to secure your digital assets, send payments, access global internet finance protocols, and manage your private data using Zeronym.
On top of Keys being created on human identity, they can be used to make ZK Proof of personhood on Zeronym. Keys can custody their own identity; this mitigates the risks associated with centralized storage of identity. Human Keys can program privacy by delegating roles and permissions to other parties for custody transfer and selective disclosure of private data, useful for identity verification use cases that would like to preserve privacy and be accountable.