Encryption Flow

This page describes how data is encrypted and decrypted during an identity exchange within the CRYMBO Oracle.

End-to-End Encryption Process

Step 1: Key Retrieval

The sending institution retrieves the receiving institution's published public key from the Oracle.

Step 2: PII Encryption

The sender encrypts the required identity fields using the recipient's public key:

EncryptedPII = Encrypt(PII_fields, recipient_public_key)

Step 3: Signed Payload

The sender signs the encrypted payload with their own signing key to ensure integrity:

SignedPayload = Sign(EncryptedPII, sender_signing_key)

Step 4: Oracle Transmission

The signed, encrypted payload is transmitted through the Oracle network. Validators can verify the signature without decrypting the PII.

Step 5: Recipient Decryption

The receiving institution decrypts the PII using their private key:

PII_fields = Decrypt(EncryptedPII, recipient_private_key)

Step 6: Attestation

An attestation confirming the successful identity exchange is published on-chain. The attestation contains no PII — only a reference to the exchange event and its compliance status.

Key Principles

At no point does CRYMBO infrastructure have access to decrypted PII
Validators verify compliance without accessing raw identity data
The entire flow is auditable without exposing underlying data

End-to-End Encryption Process​

Step 1: Key Retrieval​

Step 2: PII Encryption​

Step 3: Signed Payload​

Step 4: Oracle Transmission​

Step 5: Recipient Decryption​

Step 6: Attestation​

Key Principles​