Keys let us verify the origin and integrity of data.

# Key Pairs

A "key" is simply a number.

A *private* key is an extremely unique (i.e. large and randomly generated) number.

When a private key is used to generate a *public* key, the combo is called a **key pair**.

The public key is generated by using the private key in a specific mathematical algorithm called a *cryptographic curve*, so key pairs will often be referenced along with the name of their curve, e.g. "secp256k1" (the curve used by Bitcoin and Ethereum) or "ed25519" (the curve used by BigchainDB).

# Signing & Verifying

Using a private key, a device can *sign* any piece of data. Anyone can use the signature, the data, and the *public* key to mathematically verify the identity of the signer, and the integrity of the data.

Key pairs are the foundation of blockchain identity.Every transaction must besignedusing a private key, andverifiedusing the public key.

# Security & HSMs

As the foundation of digital identity, the private key must be kept absolutely private and secure. It should never be accessible outside of the hardware that created it. Specialized hardware that manages and performs these tasks is called a Hardware Security Module, or HSM. An HSM provides a Trusted Execution Environment (TEE) that can generate private/public key pairs, store them securely, and perform signing operations internally. The HSM's host system is only allowed to access the public key, or request that a piece of data be signed by the HSM, using one of its internal private keys.