Key Rotation via Offsets
Key rotation is a distinct mechanism from dependency injection. Rather than replacing the generator function, you increment a numeric offset at client construction time. This causes the KMAC256 derivation to produce a completely different key for the same wallet, without changing any code.
const client = await getUmbraClient({
signer,
network: "mainnet",
rpcUrl,
rpcSubscriptionsUrl,
offsets: {
x25519UserAccountPrivateKey: 1n, // rotate the token encryption key
poseidonPrivateKey: 0n,
masterViewingKey: 0n,
x25519MasterViewingKeyEncryptingPrivateKey: 0n,
mintX25519PrivateKey: 0n,
rescueCommitmentBlindingFactor: 0n,
randomCommitmentFactor: 0n,
},
});
masterViewingKeyposeidonPrivateKeyx25519UserAccountPrivateKeyx25519MasterViewingKeyEncryptingPrivateKeymintX25519PrivateKeyrescueCommitmentBlindingFactorrandomCommitmentFactor
Rotating an offset produces a different derived key. Any on-chain state - registered X25519 keys, encrypted balances, compliance grants - was created under the old key and cannot be accessed with the rotated key. Always re-register after rotating the user account key, and update any grants that referenced the old MVK X25519 key.
Per-Function Deps Reference
A complete map of which injectable deps each factory function accepts.
Registration
getUserRegistrationFunction
accountInfoProvider, getLatestBlockhash, transactionForwardermasterViewingKeyGenerator, masterViewingKeyBlindingFactorGeneratorposeidonPrivateKeyGenerator, poseidonBlindingFactorGeneratoruserAccountX25519KeypairGenerator, masterViewingKeyEncryptingX25519KeypairGeneratormintX25519KeypairGeneratorrescueCommitmentBlindingFactorGenerator, randomFactorGeneratorgetRcKeyGenerator, getRcEncryptor, rescueCommitmentGeneratoruserCommitmentGeneratorfiatShamirChallengeGenerator, challengePowersFunction, polynomialEvaluatorposeidonAggregatorbn254ModInverter, computeLimbwiseSumInversezkProver (IZkProverForUserRegistration) - required
Deposit
getPublicBalanceToEncryptedBalanceDirectDepositorFunction
accountInfoProvider, getLatestBlockhash, transactionForwarder, getEpochInfo
Withdrawal
getEncryptedBalanceToPublicBalanceDirectWithdrawerFunction
accountInfoProvider, getLatestBlockhash, transactionForwarder
Query
getUserAccountQuerierFunction
getEncryptedBalanceQuerierFunction
accountInfoProviderrcDecryptor - override to provide a custom Rescue cipher decryption backend
getClaimableUtxoScannerFunction
accountInfoProvidermerkleProofFetcher - override to fetch Merkle proofs from a custom indexerutxoDataFetcher - override to fetch UTXO data from a custom indexer
UTXO Creation - from Encrypted Balance
getEncryptedBalanceToSelfClaimableUtxoCreatorFunction
accountInfoProvider, blockhashProvider, transactionForwardermasterViewingKeyGenerator, masterViewingKeyBlindingFactorGeneratorposeidonPrivateKeyGenerator, poseidonBlindingFactorGeneratoruserAccountX25519KeypairGeneratorsecondViewingKeyGeneratorephemeralUtxoMasterViewingKeyGenerator, ephemeralUtxoMasterViewingKeyBlindingFactorGeneratorephemeralUtxoPoseidonKeyGenerator, ephemeralUtxoPoseidonKeyBlindingFactorGeneratorephemeralUtxoNullifierGenerator, ephemeralUtxoH2RandomSecretGeneratorposeidonKeystreamBlindingFactorGeneratorposeidonHasher, poseidonEncryptor, poseidonKeystreamGenerator, keystreamCommitmentGeneratorrescueEncryptor, aesEncryptorfiatShamirChallengeGenerator, userCommitmentGenerator, h2GeneratorgetUtcNow, generateRandomU256, getRandomComputationOffsetzkProver (IZkProverForSelfClaimableUtxo) - required
getEncryptedBalanceToReceiverClaimableUtxoCreatorFunction
- Same set as self-claimable from encrypted balance
zkProver (IZkProverForReceiverClaimableUtxo) - required
UTXO Creation - from Public Balance
getPublicBalanceToSelfClaimableUtxoCreatorFunction
accountInfoProvider, blockhashProvider, transactionForwardermasterViewingKeyGenerator, poseidonPrivateKeyGenerator- Ephemeral UTXO key generators (same as above)
- Cryptographic operation functions (Poseidon, Rescue, AES, Fiat-Shamir)
zkProver (IZkProverForSelfClaimableUtxo) - required
getPublicBalanceToReceiverClaimableUtxoCreatorFunction
- Same set as self-claimable from public balance
zkProver (IZkProverForReceiverClaimableUtxo) - required
UTXO Claiming
getReceiverClaimableUtxoToEncryptedBalanceClaimerFunction
accountInfoProvider, getLatestBlockhash, transactionForwarder- Key derivation generators (master viewing key, Poseidon, X25519)
- Ephemeral UTXO key generators
- Cryptographic operation functions
zkProver (IZkProverForClaimReceiverClaimableUtxoIntoEncryptedBalance) - required
getSelfClaimableUtxoToEncryptedBalanceClaimerFunction
accountInfoProvider, getLatestBlockhash, transactionForwarder- Key derivation generators
- Cryptographic operation functions
zkProver (IZkProverForClaimSelfClaimableUtxoIntoEncryptedBalance) - required
getSelfClaimableUtxoToPublicBalanceClaimerFunction
accountInfoProvider, getLatestBlockhash, transactionForwarder- Key derivation generators
- Cryptographic operation functions
zkProver (IZkProverForClaimSelfClaimableUtxoIntoPublicBalance) - required
Conversion
getNetworkEncryptionToSharedEncryptionConverterFunction
accountInfoProvider, getLatestBlockhash, transactionForwarder
getMintEncryptionKeyRotatorFunction
accountInfoProvider, getLatestBlockhash, transactionForwardermintX25519KeypairGenerator - override to supply the new keypair directly
Compliance Grants
getComplianceGrantIssuerFunction
accountInfoProvider, getLatestBlockhash, transactionForwarder
getComplianceGrantRevokerFunction
accountInfoProvider, getLatestBlockhash, transactionForwarder
getSharedCiphertextReencryptorForUserGrantFunction
accountInfoProvider, getLatestBlockhash, transactionForwarder
getUserComplianceGrantQuerierFunction
Miscellaneous
getClaimStagedSolFromPoolFunction
accountInfoProvider, getLatestBlockhash, transactionForwarder
getClaimStagedSplFromPoolFunction
accountInfoProvider, getLatestBlockhash, transactionForwarder
getUpdateRandomGenerationSeedFunction
accountInfoProvider, getLatestBlockhash, transactionForwarder
getUpdateTokenAccountRandomGenerationSeedFunction
accountInfoProvider, getLatestBlockhash, transactionForwarder
