Skip to main content

Crate atlas_ecdh_bridge

Crate atlas_ecdh_bridge 

Source
Expand description

§atlas-ecdh-bridge

Derive deterministic Ed25519 signing keys from WebAuthn/Passkey P-256 ECDH — zero persistent secrets, hardware-bound identity.

§The Problem

Passkeys (WebAuthn/FIDO2) use NIST P-256 keys locked inside hardware security modules — Android StrongBox, iOS Secure Enclave, Windows Hello, YubiKeys. You cannot export the private key, and you cannot sign with Ed25519.

Meanwhile, most blockchains (Solana, Sui, Aptos, Stellar, NEAR, Cosmos, etc.) require Ed25519 signatures. The curves are mathematically incompatible.

§The Solution

This crate bridges the gap using ECDH key agreement — a standard operation that passkey hardware already supports:

passkey_private × FIXED_POINT → 32-byte shared secret (inside TEE)
                                       ↓
             HKDF(secret, "solana:ed25519:v1") → Ed25519 seed → sign → zeroize

One passkey → deterministic Ed25519 keys for every chain → zero secrets stored.

§Security Properties

  • No persistent secrets — Ed25519 key material exists in RAM only during sign(), then is zeroized via the zeroize crate
  • Deterministic — same passkey × same fixed point = same addresses, every time
  • Biometric-gated — ECDH requires user verification (fingerprint, face, PIN)
  • Hardware-bound — the passkey private key never leaves the secure element
  • Domain-separated — each chain gets an independent key via HKDF with unique salt
  • No seed phrase — the hardware IS the identity
  • Auditable — the fixed point is derived from a public domain string

Enums§

Chain
Supported blockchain chains for Ed25519 key derivation.

Functions§

derive_all_builtin_keys
Derive Ed25519 public keys for all 10 built-in chains at once.
derive_public_key
Derive the raw 32-byte Ed25519 public key for a given chain.
derive_public_key_base58
Derive the Ed25519 public key as a base58 string (standard Solana address format).
derive_public_key_hex
Derive the Ed25519 public key as a hex string (standard Sui/Aptos address format).
fixed_point_compressed
Return the fixed point in compressed SEC1 format (33 bytes: 02/03 || X).
fixed_point_uncompressed
Compute the fixed P-256 public key used for ECDH derivation.
fixed_point_xy
Return the fixed point as raw X || Y (64 bytes, no 0x04 prefix).
print_fixed_point_info
Print the fixed point in all formats — useful for embedding in platform code.
sign
Sign a message with the ECDH-derived Ed25519 key for a given chain.
verify
Verify an Ed25519 signature against a public key.