ERC-2334: BLS12-381 Deterministic Account Hierarchy
Simple Summary
This EIP defines the purpose of a given key, or family thereof, within a tree of keys. When combined with EIP-2333, the combination of a seed and knowledge of the desired purpose of a key is sufficient to determine a key pair.
Abstract
A standard for allocating keys generated by EIP-2333 to a specific purpose. It defines a path
which is a string that parses into the indices to be used when traversing the tree of keys that EIP-2333 generates.
A note on purpose
This specification is designed not only to be an Ethereum 2.0 standard, but one that is adopted by the wider community who have adopted BLS signatures over BLS12-381. It is therefore important also to consider the needs of the wider industry along with those specific to Ethereum. As a part of these considerations, it is the intention of the author that this standard eventually migrate to a more neutral repository in the future.
Motivation
Ethereum 2.0 alongside many other projects will use BLS signatures over BLS12-381, an IETF proposed standard. This new scheme requires a new key derivation mechanism, which is established within EIP-2333. This new scheme is incompatible with the current form of this specification (BIP44) due to the: exclusive use of hardened keys, the increased number of keys per level, not using BIP32 for key derivation. It is therefore necessary to establish a new path for traversing the EIP-2333 key-tree.
The path structure specified in this EIP aims to be more general than BIP44 by not having UTXO-centric features which gave rise to the 4 different types of wallet paths being used within Ethereum 1.0 and gave rise to (draft) EIP-600 & EIP-601
Specification
Path
The path traversed through the tree of keys is defined by integers (which indicate the sibling index) separated by /
which denote ancestor relations. There are 4 levels (plus the master node) in the path and at least 4 (5 including the master node) MUST be used.
Notation
The notation used within the path is specified within the EIP-2333, but is summarized again below for convenience.
m
Denotes the master node (or root) of the tree/
Separates the tree into depths, thusi / j
signifies thatj
is a child ofi
Purpose
The purpose
is set to 12381
which is the name of the new curve (BLS12-381). In order to be in compliance with this standard, the EIP-2333 MUST be implemented as the KDF and therefore, the purpose 12381
MAY NOT be used unless this is the case.
Coin Type
The coin_type
here reflects the coin number for an individual coin thereby acting as a means of separating the keys used for different chains.
Account
account
is a field that provides the ability for a user to have distinct sets of keys for different purposes, if they so choose. This is the level at which different accounts for a single user SHOULD to be implemented.
Use
This level is designed to provide a set of related keys that can be used for any purpose. The idea being that a single account has many uses which are related yet should remain separate for security reasons. It is required to support this level in the tree, although, for many purposes it will remain 0
.
Eth2 Specific Parameters
Coin type
The coin type used for the BLS12-381 keys in Ethereum 2 is 3600
.
Validator keys
Each Eth2 validator has two keys, one for withdrawals and transfers (called the withdrawal key), and the other for performing their duties as a validator (henceforth referred to as the signing key).
The path for withdrawal keys is m/12381/3600/i/0
where i
indicates the i
th set of validator keys.
The path for the signing key is m/12381/3600/i/0/0
where again, i
indicates the i
th set of validator keys. Another way of phrasing this is that the signing key is the 0
th child of the associated withdrawal key for that validator.
Note: If the above description of key paths is not feasible in a specific use case (eg. with secret-shared or custodial validators), then the affected keys may be omitted and derived via another means. Implementations of this EIP, must endeavour to use the appropriate keys for the given use case to the extent that is reasonably possible. (eg, in the case of custodial staking, the user making the deposits will follow this standard for their withdrawal keys which has no bearing on how the service provide derives the corresponding signing keys.)
Rationale
purpose
, coin_type
, and account
are widely-adopted terms as per BIP43 and BIP44 and therefore reusing these terms and their associated meanings makes sense.
The purpose needs to be distinct from these standards as the KDF and path are not inter-compatible and 12381
is an obvious choice.
account
separates user activity into distinct categories thereby allowing users to separate their concerns however they desire.
use
will commonly be determined at the application level providing distinct keys for non-intersecting use cases.
Eth2 Specific Parameters
A new coin type is chosen for Eth2 keys to help ensure a clean separation between Eth2 and Eth1 keys. Although the distinction between Eth1 ETH and Eth2 ETH is subtle, they are distinct entities and there are services which only distinguish between coins by their coin name (eg. ENS' multichain address resolution). 3600
is chosen specifically because it is the square of the Eth1's coin_type
(3600==60^2
) thereby signaling that it is second instantiation of Ether the currency.
The primary reason validators have separate signing and withdrawal keys is to allow for the different security concerns of actions within Eth2. The signing key is given to the validator client where it signs messages as per the requirements of being a validator, it is therefore a "hot key". If this key is compromised, the worst that can happen (locally) is that a slashable message is signed, resulting in the validator being slashed and forcibly exited. The withdrawal key is only needed when a validator wishes to perform an action not related to validating and has access to the full funds at stake for that validator. The withdrawal key therefore has higher security concerns and should be handled as a "cold key". By having the signing key be a child of the withdrawal key, secure storage of the withdrawal key is sufficient to recover the signing key should the need arise.
Backwards Compatibility
BIP43 and BIP44 are the commonly used standards for this purpose within Ethereum 1.0, however they have not been Accepted
as standards as yet. Due to the use of a new KDF within EIP-2333, a new path standard is required. This EIP implements this, with minor changes.
purpose
12381
paths do not support hardened keys and therefore the '
character is invalid.
Copyright
Copyright and related rights waived via CC0.