-
Notifications
You must be signed in to change notification settings - Fork 5.4k
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Draft EIP: BLS12-381 Deterministic Account Hierarchy (#2334)
- Loading branch information
Showing
2 changed files
with
103 additions
and
1 deletion.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,102 @@ | ||
--- | ||
eip: 2334 | ||
title: BLS12-381 Deterministic Account Hierarchy | ||
author: Carl Beekhuizen <carl@ethereum.org> | ||
discussions-to: https://github.com/ethereum/EIPs/issues/2338 | ||
status: Draft | ||
type: Standards Track | ||
category: ERC | ||
created: 2019-09-30 | ||
requires: 2333 | ||
--- | ||
|
||
## Simple Summary | ||
|
||
This EIP defines the purpose of a given key, or family thereof, within a tree of keys. When combined with [EIP-2333](https://eips.ethereum.org/EIPS/eip-2333), the combination of a seed and knowledge of the desired purpose of a key is sufficient to determine a key pair. | ||
|
||
## Abstract | ||
|
||
A standard for allocating keys generated by [EIP-2333](https://eips.ethereum.org/EIPS/eip-2333) to a specific purpose. It defines a `path` which is a string that parses into the indices to be used when traversing the tree of keys that [EIP-2333](https://eips.ethereum.org/EIPS/eip-2333) generates. | ||
|
||
## A note on purpose | ||
|
||
This specification is designed not only to be an Ethereum 2.0 standard, but one that is adopted by the wider community who have adopted the BLS12-381 signature standard. It is therefore important also to consider the needs of the wider industry along with those specific to Ethereum. As a part of these considerations, it is the intention of the author that this standard eventually migrate to a more neutral repository in the future. | ||
|
||
## Motivation | ||
|
||
Ethereum 2.0 alongside many other projects will use BLS12-381 signatures. This new scheme requires a new key derivation mechanism, which is established within [EIP-2333](https://eips.ethereum.org/EIPS/eip-2333). This new scheme is incompatible with the current form of this specification ([BIP44](https://github.com/bitcoin/bips/blob/master/bip-0044.mediawiki)) due to the: exclusive use of hardened keys, the increased number of keys per level, not using [BIP32](https://github.com/bitcoin/bips/blob/master/bip-0032.mediawiki) for key derivation. It is therefore necessary to establish a new *path* for traversing the [EIP-2333](https://eips.ethereum.org/EIPS/eip-2333) key-tree. | ||
|
||
The path structure specified in this EIP aims to be more general than [BIP44](https://github.com/bitcoin/bips/blob/master/bip-0044.mediawiki) by not having UTXO-centric features [which gave rise to the 4 different types of wallet paths being used within Ethereum 1.0](https://github.com/ethereum/EIPs/issues/84#issuecomment-292324521) and gave rise to (draft) EIPs [600](https://eips.ethereum.org/EIPS/eip-600) & [601](https://eips.ethereum.org/EIPS/eip-601) | ||
|
||
## Specification | ||
|
||
### Path | ||
|
||
The path traversed through the tree of keys is defined by integers (which indicate the sibling index) separated by `/` which denote ancestor relations. There are 4 levels (plus the master node) in the path and at least 4 (5 including the master node) MUST be used. | ||
|
||
```text | ||
m / purpose / coin_type / account / use | ||
``` | ||
|
||
#### Notation | ||
|
||
The notation used within the path is specified within the [EIP-2333](https://eips.ethereum.org/EIPS/eip-2333), but is summarized again below for convenience. | ||
|
||
* `m` Denotes the master node (or root) of the tree | ||
* `/` Separates the tree into depths, thus `i / j` signifies that `j` is a child of `i` | ||
|
||
### Purpose | ||
|
||
The `purpose` is set to `12381` which is the name of the new curve (BLS12-381). In order to be in compliance with this standard, the [EIP-2333](https://eips.ethereum.org/EIPS/eip-2333) MUST be implemented as the KDF and therefore, the purpose `12381` MAY NOT be used unless this is the case. | ||
|
||
### Coin Type | ||
|
||
The `coin_type` here reflects the coin number for an individual coin thereby acting as a means of separating the keys used for different chains. | ||
|
||
### Account | ||
|
||
`account` is a field that provides the ability for a user to have distinct sets of keys for different purposes, if they so choose. This is the level at which different accounts for a single user SHOULD to be implemented. | ||
|
||
### Use | ||
|
||
This level is designed to provide a set of related keys that can be used for any purpose. The idea being that a single account has many uses which are related yet should remain separate for security reasons. It is required to support this level in the tree, although, for many purposes it will remain `0`. | ||
|
||
### Eth2 Specific Parameters | ||
|
||
#### Coin type | ||
|
||
The coin type used for the BLS12-381 keys in Ethereum 2 is `3600`. | ||
|
||
#### Validator keys | ||
|
||
Each Eth2 validator has two keys, one for withdrawals and transfers (called the *withdrawal key*), and the other for performing their duties as a validator (henceforth referred to as the *signing key*). | ||
|
||
The path for withdrawal keys is `m/12381/3600/i/0` where `i` indicates the `i`th set of validator keys. | ||
|
||
The path for the signing key is `m/12381/3600/i/0/0` where again, `i` indicates the `i`th set of validator keys. Another way of phrasing this is that the signing key is the `0`th child of the associated withdrawal key for that validator. | ||
|
||
## Rationale | ||
|
||
`purpose`, `coin_type`, and `account` are widely-adopted terms as per [BIP43](https://github.com/bitcoin/bips/blob/master/bip-0043.mediawiki) and [BIP44](https://github.com/bitcoin/bips/blob/master/bip-0044.mediawiki) and therefore reusing these terms and their associated meanings makes sense. | ||
|
||
The purpose needs to be distinct from these standards as the KDF and path are not inter-compatible and `12381` is an obvious choice. | ||
|
||
`account` separates user activity into distinct categories thereby allowing users to separate their concerns however they desire. | ||
|
||
`use` will commonly be determined at the application level providing distinct keys for non-intersecting use cases. | ||
|
||
### Eth2 Specific Parameters | ||
|
||
A new coin type is chosen for Eth2 keys to help ensure a clean separation between Eth2 and Eth1 keys. Although the distinction between Eth1 ETH and Eth2 ETH is subtle, they are distinct entities and there are services which only distinguish between coins by their coin name (eg. [ENS' multichain address resolution](https://eips.ethereum.org/EIPS/eip-2304)). `3600` is chosen specifically because it is the square of the Eth1's `coin_type` (`3600==60^2`) thereby signaling that it is second instantiation of Ether the currency. | ||
|
||
The primary reason validators have separate signing and withdrawal keys is to allow for the different security concerns of actions within Eth2. The signing key is given to the validator client where it signs messages as per the requirements of being a validator, it is therefore a "hot key". If this key is compromised, the worst that can happen (locally) is that a slashable message is signed, resulting in the validator being slashed and forcibly exited. The withdrawal key is only needed when a validator wishes to perform an action not related to validating and has access to the full funds at stake for that validator. The withdrawal key therefore has higher security concerns and should be handled as a "cold key". By having the signing key be a child of the withdrawal key, secure storage of the withdrawal key is sufficient to recover the signing key should the need arise. | ||
|
||
## Backwards Compatibility | ||
|
||
[BIP43](https://github.com/bitcoin/bips/blob/master/bip-0043.mediawiki) and [BIP44](https://github.com/bitcoin/bips/blob/master/bip-0044.mediawiki) are the commonly used standards for this purpose within Ethereum 1.0, however they have not been `Accepted` as standards as yet. Due to the use of a new KDF within [EIP-2333](https://eips.ethereum.org/EIPS/eip-2333), a new path standard is required. This EIP implements this, with minor changes. | ||
|
||
`purpose` `12381` paths do not support hardened keys and therefore the `'` character is invalid. | ||
|
||
## Copyright | ||
|
||
Copyright and related rights waived via [CC0](https://creativecommons.org/publicdomain/zero/1.0/). |