ATSHI Keychain is a self-sovereign identity layer that replaces passwords, vaults, and centralized key managers with a single cryptographic seed — secured on-chain, controlled entirely by you.
Every organization today manages identity the same broken way. Employees juggle dozens of credentials. IT departments maintain fragile access control lists in systems they don't fully control. Password managers store millions of encrypted vaults on a single server — and when that server is breached, everyone pays the price.
The root cause is always the same: identity and secrets are stored somewhere you have to trust. A vendor's cloud. A corporate directory. A database that becomes a single point of failure.
What if your identity lived on a blockchain where no single server holds your keys, revocation is instant, and your secrets are encrypted with keys that never leave your device?
ATSHI Keychain starts with one seed — a single master secret that only you possess. From this seed, the protocol derives as many independent key pairs as you need: one for payments, one for traceability, one for your Ethereum bridge, one for your company vault. This is not a wallet. It is a portable, programmable identity that speaks natively to any ecosystem.
Your keychain derives a separate key pair for every use case — transfers, data, bridges, vaults — each with its own transaction history. Compromise one service, the others remain untouched.
Need Ethereum? secp256k1. WebAuthn for passwordless login? P256. Quantum-safe protection? Falcon-512 and ML-KEM-768 are built in. One identity, every cryptographic language.
No server stores your seed. No vendor can lock you out. No admin can read your secrets. Encryption and decryption happen on your device. The blockchain stores only ciphertext that is meaningless without your key.
Generate a seed. That's it. Your identity exists. The protocol derives your first service key pair and creates your transaction chain on the ATSHI network.
Each service is a dedicated key pair with its own derivation path and curve. Add a payment service, a traceability service, a vault for your secrets. Each one gets its own isolated transaction chain.
Organizations can nest keychains to any depth. Company → subsidiary → department → team → employee. Each level manages its children, but never accesses its siblings or parents.
When someone leaves, publish one transaction. The departing user is removed from the authorized key list. No migration, no ticket to IT, no waiting. The blockchain's truth is always the latest transaction.
For developers and architects — the cryptographic internals of the ATSHI Keychain.
Keys follow a structured derivation path: m / 650′ / service_id / key_index. Each service defines its own curve and hash algorithm (SHA256, SHA512, SHA3-256, SHA3-512, BLAKE2B). Derivation uses HMAC-SHA512(master_seed, SHA256(path)) — the first 256 bits become the private key.
Your keychain is encrypted with AES-256-CTR and stored as a transaction on the blockchain. The AES key is wrapped via ECIES (ephemeral ECDH key exchange) for each authorized device. Add a device with access_keychain tx — revoke by re-encrypting without its key.
The next public key hash is disclosed on-chain while the actual key remains secret. Even if a quantum computer breaks the current curve, the attacker cannot use it because the network has already committed to the next key hash. Combined with Falcon-512 post-quantum signatures.
On mobile, unlock via the device's secure enclave (Face ID, Touch ID). On desktop, Yubikey or PIN. Private keys only exist temporarily in memory — they are discarded after each operation. No seed phrase required for daily use.
Traditional corporate identity systems require Active Directory, LDAP, SAML, OAuth, SSO providers, password policies, and a full-time team to manage them. ATSHI Keychain replaces this stack with a single, auditable, cryptographic hierarchy.
Your hierarchy has no structural limit. Company, subsidiary, department, team, individual, partner — add levels as your organization grows. Each level is just a path segment in the derivation tree.
Each wallet has its own independent key pair. The parent holds an encrypted copy — not the key itself. Compromising one level does not cascade to the rest. The parent can recover a child's access, but the child cannot escalate.
A partner gets read-only traceability access. An auditor gets time-limited financial records. A contractor gets write access to a specific project — nothing else. Permissions enforced by smart contracts.
Revoking access is a single blockchain transaction. The departed user is removed from the authorized key list, and the protocol rotates the affected keys. No grace period. No leftover access.
Every access grant, revocation, and key rotation is a transaction on the chain. Compliance teams get a tamper-proof log that satisfies SOC 2, ISO 27001, and GDPR audit requirements — without additional tooling.
Most blockchain identity systems recognise only one entity: a wallet address. ATSHI Keychain supports six native identity types, each with its own authentication model, lifecycle rules, and policy surface — so the protocol can distinguish a human from a server from a temperature sensor.
Human users with biometric or key-based authentication. Personal keychains hold credentials, consent records, and delegated permissions — all under the user's sovereign control.
Company-level identity with policy inheritance. The root keychain defines compliance rules, signing thresholds, and revocation authority that cascade to every sub-entity.
Sub-org unit with scoped permissions. Departments inherit organisational policy but can layer additional constraints — budget ceilings, service allow-lists, or geographic restrictions.
TPM / HSM / SPIFFE-attested servers. Machine identities are bound to hardware attestation, enabling zero-trust workload authentication without shared secrets or static API keys.
Constrained sensors and edge devices authenticated via a lightweight gateway. Bulk provisioning lets you onboard thousands of devices in a single transaction batch.
Automated processes and CI/CD pipelines. Service accounts carry time-limited, least-privilege credentials that are automatically rotated — no human in the loop required.
LastPass was breached. The encrypted vaults of over 30 million users were stolen. ATSHI Vault takes a fundamentally different approach. There is no central server. There is no vault database. Your secrets live on your keychain's transaction chain, encrypted with keys derived from your seed. Decryption happens on your device, nowhere else.
| Capability | Centralized Vault (LastPass, 1Password) | ATSHI Vault on ATSHI |
|---|---|---|
| Where are your secrets stored? | Vendor's cloud servers | Your transaction chain — distributed, no single server |
| Who holds the encryption keys? | Derived from master password — but the blob is on their server | Derived from your seed — the key never leaves your device |
| What happens in a breach? | Attacker gets encrypted vaults + metadata | No central target — attacker would need to compromise the entire network |
| Access revocation | Software-level toggle in admin panel | Cryptographic — one transaction removes the key |
| Organizational sharing | Shared folders with software ACLs | Hierarchical keychains — math enforces boundaries |
| Audit trail | Vendor-provided logs (opaque, deletable) | Immutable on-chain transaction history |
| Vendor lock-in | Proprietary formats, export limitations | Open protocol, standard format, fully portable |
| Quantum resistance | No roadmap | Falcon-512 + ML-KEM-768 hybrid mode available today |
Store your logins, API keys, TOTP secrets, and certificates in a single encrypted transaction chain. Access them from any device with your seed. No sync servers, no cloud dependency.
DevOps credentials, payment gateway keys, shared API tokens — accessible to authorized team members through the keychain hierarchy. When someone leaves, one transaction revokes access and rotates the keys.
Every credential access, rotation, and share event is an on-chain transaction. Export your audit trail in standard formats for SOC 2 and ISO 27001 reviews. No additional logging infrastructure required.
Share specific secrets with a partner — a lab, a supplier, a logistics provider — by adding their public key to a scoped service. They see only what you authorize. Revocation is mutual and instant.
Most blockchain projects treat quantum computing as a distant concern. For ATSHI Keychain, it's a design requirement — especially for secrets that will still matter in 10 or 20 years.
Passwords, certificates, API keys, and business-critical data stored today could be captured and decrypted by a future quantum computer. This "harvest now, decrypt later" attack is not theoretical — intelligence agencies are already stockpiling encrypted traffic.
ATSHI Keychain addresses this with a hybrid cryptographic model:
Every vault transaction carries both an Ed25519 signature and a Falcon-512 (NIST FIPS 206) post-quantum signature. If either algorithm is broken, the other still protects.
Vault secrets are encrypted using a combined key derived from both X25519 (classical) and ML-KEM-768 (NIST FIPS 203, post-quantum) key encapsulation. Breaking both is required to decrypt.
This is not a future roadmap item. It is available as a service configuration today — deploy a vault with hybrid mode and your secrets are protected against both classical and quantum adversaries.
A dairy cooperative uses organizational keychains to manage identity across 200 farms, 15 collection centers, and 3 processing plants. Each actor has scoped traceability access. Auditors get time-bound keys that expire after inspection.
A mid-size company replaces LastPass with ATSHI Vault. Departmental sub-keychains, team-scoped credentials. When an employee is offboarded, a single transaction revokes all access — no manual checklist, no forgotten service accounts.
A DeFi user manages a single keychain with services for ATSHI (ed25519), Ethereum (secp256k1), and Bitcoin L2. Wrapped assets live on the bridge service chain. One seed, one identity, no wallet juggling.
A financial institution stores KYC records and encryption certificates in a quantum-resistant vault. Hybrid Falcon-512 + ML-KEM-768 ensures data captured today remains unreadable decades from now. Immutable audit trail for regulators.
A manufacturer onboards a supplier by adding their public key to a scoped federation service. The supplier submits batch certificates directly — no API keys, no OAuth tokens, no shared passwords. One transaction severs the link.
| Capability | Ethereum (EOA/AA) | Cosmos (Keystone) | Traditional IAM | Password Managers | ATSHI Keychain |
|---|---|---|---|---|---|
| Self-sovereign identity | Partial — private key, no services | Partial — HD wallet only | No — vendor-managed | No — vendor-managed | Yes — seed never leaves device |
| Multi-curve from one identity | secp256k1 only | Limited | N/A | N/A | Ed25519, secp256k1, P256, Falcon |
| Organizational hierarchy | No native support | No native support | Yes — but centralized | Shared folders (flat) | Unlimited depth, key wrapping |
| Instant cryptographic revocation | No — key rotation required | No | Software-level | Software-level | Yes — one transaction |
| Quantum-safe option | No | No | No | No | Falcon-512 + ML-KEM-768 hybrid |
| Decentralized secret vault | No | No | No | Yes — centralized server | ATSHI Vault — on-chain, no server |
| Immutable audit trail | Yes (transfers only) | Yes (transfers only) | Vendor logs (deletable) | Vendor logs (deletable) | Every action is a transaction |
| On-chain permission scoping | Via AA (complex) | No | RBAC (centralized) | Folder-level sharing | Per-service, contract-enforced |
| Bridge-native identity | Native | Via IBC relayers | N/A | N/A | secp256k1 = EVM-compatible |
| Recovery model | Social recovery (AA only) | Seed phrase | Admin reset | Master password + vendor | Shamir's Secret Sharing (N-of-M) |
Whether you're managing 10 employees or 10,000 supply chain partners, your identity is yours — sovereign, auditable, quantum-ready.