# Cryptography & Secure Handshake

**Information**

* Node Identity: Ed25519 keypair per node (published on-chain). Ephemeral X25519 keys per session for forward secrecy.
* Hashing: BLAKE3 for local metering; SHA-256 for cross-chain compatibility.
* AEAD: AES-GCM or ChaCha20-Poly1305 for authenticated encryption.
* KDF: HKDF-SHA256 to derive session keys.
* MAC: HMAC-SHA256 for off-path telemetry integrity.

**Handshake Process**

* Discovery via Intelligent DNS with node IDs.
* QUIC/TLS 1.3 establishes encrypted streams.
* Application Identity Bind with signed Ed25519 proofs.
* Ephemeral X25519 exchange with HKDF derivation.
* Optional double-encryption via overlay AEAD.

**Data Transmission Privacy**

* Default: QUIC/TLS 1.3 AEAD per hop.
* Optional: End-to-end AEAD overlay so intermediate lightnodes only relay ciphertext.
* Zero-copy Rust pipeline preserves encryption until final processing point.<br>