NuCypher KMS: Decentralized key management system

We’re excited to share NuCypher KMS, a decentralized key management system (KMS) for public blockchains. With NuCypher KMS, an entirely new…

We’re excited to share NuCypher KMS, a decentralized key management system (KMS) for public blockchains. With NuCypher KMS, an entirely new set of decentralized applications is unlocked for developers. Use cases requiring secure storage, sharing, and manipulation of private data can now be built on public blockchains, allowing for greater protection and control of private data.

The post below gives an overview and a detailed description can be found in our draft technical white paper.


NuCypher KMS provides encryption and cryptographic access controls, without reliance on a central service provider. It leverages state-of-the-art proxy re-encryption technology to allow re-keying encrypted data. This allows a decentralized network of nodes to provide key management operations, without accessing private keys or plaintext data.


The core technology is proxy re-encryption (PRE), a cryptographic primitive which allows a third-party proxy to transform ciphertexts from one public key to another (using re-encryption keys), without learning anything about the underlying message.

Main actors and interactions in a PRE environment

This ability to securely delegate access to private, encrypted information, makes PRE an ideal candidate for constructing cryptographic access controls for distributed systems such as blockchain, internet of things (IoT), and big data.

In NuCypher KMS, access controls are issued, enforced, and revoked via smart contracts executed by a decentralized network of re-encryption nodes. This network controls re-encryption keys and allows data owners to conditionally grant and revoke access to third-parties based on their public key.

Re-encryption nodes are incentivized to behave properly using a proof-of-stake NKMS token. If the nodes are malicious or defective, their deposit is forfeit. Correctly behaving nodes are incentivized to provide re-encryption services through payment in NKMS.

Use cases

NuCypher KMS enables public blockchains to securely store and manipulate secrets, giving decentralized applications a way to work with private data. But key management as a service is useful for centralized applications, too.

Potential use cases include:

  • KMS-as-a-service for handling secrets in AWS instances (similar to Hashicorp Vault, Amazon Key Management etc);
  • Safely storing encrypted secrets alongside code on GitHub;
  • Decentralized Digital Rights Management (DDRM);
  • Pay-to-view streaming;
  • Encrypted digital content marketplaces;
  • Private multi-user chats;
  • Private, shareable file storage;
  • Patients sharing medical records with healthcare providers;
  • Blind identity management;
  • Mobile device management and revocation.

Call for contributions

We’re very interested in the community’s suggestions and comments on the technical white paper — everything from security to token economics to functionality requests. We’re also excited to brainstorm use cases for NKMS and would love to hear your ideas. Your involvement will help inform the final, revised version of the white paper.

You can find a draft of the technical white paper here and the GitHub repo here.

Join our NuCypher KMS community on Slack. We look forward to answering your questions!

And to keep up to date with our future announcements, subscribe to our mailing list.