ICP Storage Spec

Overview

The Internet Computer (ICP) provides the stealth messaging layer for zERC20. Two canisters handle encrypted communication between senders and recipients without revealing the relationship on-chain.

Location: zstorage/

Components

Key Manager Canister

Location: zstorage/backend/key_manager/

Derives identity-based encryption (IBE) keys using VetKD (Verifiable Encrypted Threshold Key Derivation).

Functions:

  • Derives Boneh-Franklin IBE secrets per EVM address

  • Enforces nonce + TTL on key requests

  • Recipients authenticate with EVM signatures to fetch view keys

Storage Canister

Location: zstorage/backend/storage/

Persists encrypted announcements and signed invoices.

Functions:

  • Store/retrieve encrypted announcements

  • Store/retrieve signed invoices

  • Paginated scanning for recipients

Data Structures

Invoice

Recipient-initiated payment request.

Announcement

Sender-initiated encrypted payload.

Stealth Payload

The decrypted content of an announcement.

Workflows

Invoice Flow (Recipient-Initiated)

Modes:

  • Single: One burn address per invoice

  • Batch: Up to 10 burn addresses (sub IDs 0-9)

Payment Advice Flow (Sender-Initiated)

Recipient Scanning

Encryption Scheme

IBE (Identity-Based Encryption)

  • Scheme: Boneh-Franklin IBE

  • Identity: Recipient's EVM address

  • Key Derivation: VetKD from ICP subnet keys

Payload Encryption

Decryption

Client Libraries

Rust Client

Location: zstorage/frontend/ (Rust)

TypeScript Client

Location: frontend/src/services/sdk/storage/

Browser-compatible client with same functionality.

Security Considerations

  • Key Manager Trust: ICP subnet collectively holds master key; no single node can decrypt

  • Storage Privacy: Canisters store only encrypted data; cannot read contents

  • Authentication: EVM signatures required for key requests

  • Nonce/TTL: Prevents replay attacks on key derivation requests

Last updated