KCEP — Kemet Cryptographic Engine Protocol

The Kemet Cryptographic Engine Protocol — node identity, Vault derivation, and the non-custodial key domain of every participant.

Document ID

KEM-PRTL-004

Version

1.0.0

Effective Date

2026-05-05

Classification

PUBLIC PROTOCOL CHARTER

1. Charter

KCEP defines how the Network recognizes a Node. We do not assign accounts in the legacy sense — we recognize cryptographic identities derived from a user-held Vault Key. The Organization never possesses Vault material, recovery phrases, or private signing keys. Identity is proven through challenge–response using Ed25519-class signatures over published intent.

2. Key Hierarchy (Abstract)

Vault Key — root entropy represented as a recovery phrase; never transmitted to infrastructure.
Identity Key Domain — long-lived signing and agreement keys bound to the Node, stored in platform secure enclave where available.
Device Key Domain — per-installation keys with auditable enrollment and revocation.
Session Keys — ephemeral material derived inside messaging protocols (KSMP, KVCP); not exported to servers.

3. Enrollment & Recovery

New Nodes generate keys locally before any network write. Recovery on a new device creates a new device domain; peers observe a device change event and must re-establish encrypted sessions. We publish migration and rotation policies; we do not publish derivation paths or internal KDF parameters.

4. Governance Binding

Manifesto acceptance and legal agreement versions are bound into identity creation flows. The Organization may require protocol updates for continued access without ever accessing encrypted content.

Disclosure Line

This charter publishes the contractual behavior, guarantees, and governance boundaries of the protocol. It does not publish anti-abuse scoring internals, exploit-sensitive thresholds, or operational topology details that materially improve adversarial optimization against the Network.

Related Protocols