Event-gated threshold conditional decryption

Decrypt only when the moment arrives.

Warden holds a decryption key across a federation of independent nodes and releases it the instant a condition on-chain becomes true — and not a moment before. Until then, the payload is unreadable by everyone, including the person it's meant for.

“The app seals the letter; Warden keeps the key until the on-chain moment, then releases it.”

How it works Run a node, or just talk shop →

The idea

A federation of independent nodes jointly holds one master key — no single node ever holds the whole thing. You encrypt a payload to a condition, not to a key. Until that condition is true on-chain, the ciphertext is gibberish to everyone. The instant it's true, a threshold of nodes each release a partial — and only then can the key be reassembled.

It's the same cryptography proven by drand and the League of Entropy — Boneh–Franklin IBE over threshold BLS — with one change: the trigger is an on-chain condition, not a clock.

How it works

Five steps. No single point of trust.

1
Distributed key generation
The federation jointly generates one master key (DKG). Each node holds only a share; the whole key never exists in any one place.
2
Encrypt to a condition
A client seals a payload and binds it to a condition — say executed(beatId)==true. The IBE identity is H(condition), so the condition can't be swapped after the fact.
3
Nodes watch the chain
Each node independently evaluates the condition against finalized chain state. No node acts on another's say-so — or on anyone's request to release early.
4
Release on truth
When the condition holds, a threshold t-of-n of nodes each return a partial decryption key. Fewer than t, and nothing can be recovered.
5
Combine & open
The client combines the partials into the decryption key and reads the payload. A moment earlier, it was unreadable to everyone — including its recipient.

What it gives you — and what it never touches

Gates timing, never content.

It guarantees

Time-bound. Unreadable until the condition holds.
Revocable. A condition can be made permanently unsatisfiable — turning the ciphertext into permanent gibberish. (Maktub does this with deactivate.)
Permanent through churn. The master public key survives operator turnover via resharing — seal today, decrypt years later, even as the federation changes.
General conditions. Contract-state, time, event, boolean-compound, cross-chain. executed==true is just one.

It is not

A blockchain, a token, or consensus over arbitrary state.
A storage layer — payloads live on Arweave / Filecoin / IPFS; Warden only handles keys.
A custodian of plaintext — content stays end-to-end encrypted to the recipient (a double-wrap). Warden never sees what it gates.
Governed by any single trusted party — security comes from independent operators, not from us.

Use cases

One primitive, many locks.

Anywhere a secret should stay sealed until something is provably true on-chain, Warden is the lock. It releases the key on the condition — your app builds the rest, and Warden never touches the asset itself.

Inheritance & pensions

Seal a nominee's access details — keys, instructions, documents — so they decrypt only when an on-chain condition says the time has come: proof of inactivity, a guardian threshold, an attestation. Warden releases the key; your app defines “when,” and never holds the funds.

inactive(account) ≥ N

Sealed-bid auctions

Bidders encrypt to the auction's close condition. No one — not even the auctioneer — can read a bid until it closes; then every bid opens at once. Sealed-bid fairness with no trusted party.

auctionClosed(id)

Decentralized voting

Ballots are encrypted to the “voting closed” condition, so no one — not even the organizers — can watch a running tally or lean on a voter mid-vote. The instant voting closes on-chain, every ballot opens at once and the count is verifiable.

votingClosed(id)

Conditional contracts & escrow

Release the terms, credentials, or deliverables of an agreement only when its milestone is met on-chain. Unreadable until the contract says go.

milestoneMet(id)

Embargoed disclosure

Filings, research, or reporting that decrypts only after a date, a vote, or an event is proven on-chain — embargoes that enforce themselves, with no gatekeeper to lean on.

blockTime ≥ T

Break-glass access

Emergency credentials that stay sealed until a guardian threshold or an oracle declares the emergency real — no standing access sitting around to be abused.

guardiansApprove(k of n)

Vesting & staged unlocks

Each tranche of keys, secrets, or instructions decrypts as its condition holds — time-locked or event-locked, and across chains if you need it.

vested(tranche)

Lineage

Warden doesn't invent new cryptography. It reuses the well-studied machinery behind drand's tlock — Boneh–Franklin IBE over threshold BLS on BLS12-381, distributed key generation, and resharing — and runs it as a public good, the way the League of Entropy runs drand. The one substitution: drand releases on time (a round number); Warden releases on an on-chain condition. Same foundations, a different trigger.

Where it is

Honest about the stage.

Now
Phase 0 — proof of concept, open source. The crypto core, the double-wrap envelope, the node + condition-watcher, the client, and a live Base Sepolia end-to-end harness are built; the crypto loop is proven offline. The source, specs, and threat model are public under MIT on GitHub. The testnet federation is all-ours, which means zero security by design — not for real secrets.
Next
Public testnet — independent operators running real nodes.
Then
Independent audit — a third-party review of the cryptography and the node, the gate before any mainnet federation.
Then
A mainnet federation of independent operators, committed to permanence — no forced re-keying, no sunsets.

Join the federation

Be a founding operator.

Warden's security isn't ours to hand out — it comes from independent operators, each holding one share, none able to act alone. We're forming the founding federation now. Run a node and you're not a user of this network; you're part of what makes it trustworthy.

How your node helps

Decentralizes trust. Every independent operator makes early decryption or censorship harder — no individual, and no small group, can open a payload before its condition holds or block its release.
Makes permanence real. Operators who stay, and reshare through churn, are why a payload sealed today can still open years from now.
Strengthens liveness. Nodes across different operators, jurisdictions, and clouds mean no single point of failure — and nothing to coerce in one place.
Builds a commons. Like drand's League of Entropy, one well-run federation can serve many applications at once. Your node is shared public infrastructure.

What you gain

A founding seat. Shape the protocol and the spec while they're still forming — founding operators set the norms.
Standing as public-good infrastructure. The League-of-Entropy model put its operators on the map; this is the chance to hold that role for a new primitive.
Light to run. One binary (a Docker image is published), modest hardware, and it reads chains for free — no heavy ops, no gas to operate.
Honest terms. No token to buy, no payment to chase. Warden is a public good, run as a contribution — we say so plainly.

Today the federation is a proof of concept we run ourselves — which is exactly why we want independent operators to make it real. Open source, an audit, and a public testnet come first; founding operators are in from there.

Run a node

Get in touch

Curious, or ready to start?

Whether you'd run a node, dig into the cryptography, or just follow along as Warden moves toward a public testnet — reach out. The public pieces are below.