# Deterministic Derivation

`POST /keys/{keyId}/derive`

Dfns decentralized key management network supports threshold Diffie-Hellman protocol based on [GLOW20 paper](https://eprint.iacr.org/2020/096). You can use the DH protocol to derive output from a domain separation tag and a seed value. The derivation process is deterministic, i.e. the same Diffie-Hellman key and seed will lead to the same derived output. To ensure reproducibility, we use hash to curve [RFC9380](https://www.rfc-editor.org/rfc/rfc9380.html) and standard ciphersuite `secp256k1_XMD:SHA-256_SSWU_RO_`.

{% hint style="info" %}
The seed doesn’t need to be secret. Without access to the DH key, it is not possible to do the derivation, even if the seed is known. Moreover, if both seed and derived output are known, it’s also not possible to do the derivation for another seed without having access to the DH key.
{% endhint %}

This endpoint only supports Diffie-Hellman keys. Regular threshold signature keys, like `ECDSA` or `EdDSA`, will not work. You can create a Diffie-Hellman key with the [Create Key](https://docs-legacy.dfns.co/d/api-docs/keys/create-key) endpoint using `scheme=DH` and `curve=secp256k1`.

{% hint style="info" %}

* User action signature required. See [User Action Signing](https://docs-legacy.dfns.co/d/api-docs/authentication/user-action-signing) for more information.
* Request headers required. See [Request Headers](https://docs-legacy.dfns.co/d/advanced-topics/authentication/request-headers) for more information.
* Authentication required. See [Authentication Headers](https://docs-legacy.dfns.co/d/advanced-topics/authentication/request-headers#authentication-headers) for more information.
  {% endhint %}

## Required Permissions

| Name          | Conditions      |
| ------------- | --------------- |
| `Keys:Derive` | Always Required |

## Parameters

### Path parameters

| Path parameter | Description                   |
| -------------- | ----------------------------- |
| `keyId`        | Unique identifier of the key. |

## Request Body

| Field    | Description                                                                                                                                                                                          | Type - Optional |
| -------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | --------------- |
| `domain` | Domain separation tag in hex-encoded format. Used to ensure the same seed will generate different outputs for different applications. For example, a DST can be `{company}:{application}:{version}`. | String          |
| `seed`   | Seed value in hex-encoded format.                                                                                                                                                                    | String          |

### Example

```
{
  "domain": "0x64666e733a646f63756d656e746174696f6e3a6b65795f646572697665",
  "seed": "0x64616e69656c2e6a696e4064666e732e636f"
}
```

## Response Body

| Field    | Description                              | Type - Optional |
| -------- | ---------------------------------------- | --------------- |
| `output` | Derivation output in hex-encoded format. | String          |

### 200 Success

```
{
  "output": "0x543feac809a7fcb4aea9516e9eb82b9fc6f234e214bbd53145b7bbc0f3be0c57"
}
```