# Deterministic Derivation `POST /keys/{keyId}/derive` Dfns decentralized key management network supports threshold Diffie-Hellman protocol based on [GLOW20 paper](https://eprint.iacr.org/2020/096). You can use the DH protocol to derive output from a domain separation tag and a seed value. The derivation process is deterministic, i.e. the same Diffie-Hellman key and seed will lead to the same derived output. To ensure reproducibility, we use hash to curve [RFC9380](https://www.rfc-editor.org/rfc/rfc9380.html) and standard ciphersuite `secp256k1_XMD:SHA-256_SSWU_RO_`. {% hint style="info" %} The seed doesn’t need to be secret. Without access to the DH key, it is not possible to do the derivation, even if the seed is known. Moreover, if both seed and derived output are known, it’s also not possible to do the derivation for another seed without having access to the DH key. {% endhint %} This endpoint only supports Diffie-Hellman keys. Regular threshold signature keys, like `ECDSA` or `EdDSA`, will not work. You can create a Diffie-Hellman key with the [Create Key](/d/api-docs/keys/create-key.md) endpoint using `scheme=DH` and `curve=secp256k1`. {% hint style="info" %} * User action signature required. See [User Action Signing](/d/api-docs/authentication/user-action-signing.md) for more information. * Request headers required. See [Request Headers](/d/advanced-topics/authentication/request-headers.md) for more information. * Authentication required. See [Authentication Headers](/d/advanced-topics/authentication/request-headers.md#authentication-headers) for more information. {% endhint %} ## Required Permissions | Name | Conditions | | ------------- | --------------- | | `Keys:Derive` | Always Required | ## Parameters ### Path parameters | Path parameter | Description | | -------------- | ----------------------------- | | `keyId` | Unique identifier of the key. | ## Request Body | Field | Description | Type - Optional | | -------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | --------------- | | `domain` | Domain separation tag in hex-encoded format. Used to ensure the same seed will generate different outputs for different applications. For example, a DST can be `{company}:{application}:{version}`. | String | | `seed` | Seed value in hex-encoded format. | String | ### Example ``` { "domain": "0x64666e733a646f63756d656e746174696f6e3a6b65795f646572697665", "seed": "0x64616e69656c2e6a696e4064666e732e636f" } ``` ## Response Body | Field | Description | Type - Optional | | -------- | ---------------------------------------- | --------------- | | `output` | Derivation output in hex-encoded format. | String | ### 200 Success ``` { "output": "0x543feac809a7fcb4aea9516e9eb82b9fc6f234e214bbd53145b7bbc0f3be0c57" } ``` --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs-legacy.dfns.co/d/api-docs/keys/advanced-keys-apis/deterministic-derivation.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.