DCIPs/EIPS/eip-2645.md

72 lines
4.4 KiB
Markdown
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

---
eip: 2645
title: Hierarchical Deterministic Wallet for Layer-2
author: Tom Brand <tom@starkware.co>, Louis Guthmann <louis@starkware.co>
discussions-to: https://ethereum-magicians.org/t/hierarchical-deterministic-wallet-for-computation-integrity-proof-cip-layer-2/4286
status: Stagnant
type: Standards Track
category: ERC
created: 2020-05-13
---
## Simple Summary
In the context of Computation Integrity Proof (CIP) Layer-2 solutions such as ZK-Rollups, users are required to sign messages on new elliptic curves optimized for those environnements. We leverage existing work on Key Derivation ([BIP32](https://github.com/bitcoin/bips/blob/master/bip-0032.mediawiki), [BIP39](https://github.com/bitcoin/bips/blob/master/bip-0039.mediawiki) and [BIP44](https://github.com/bitcoin/bips/blob/master/bip-0044.mediawiki)) to define an efficient way to securely produce CIP L2s private keys, as well as creating domain separation between Layer-2 applications.
## Abstract
We provide a Derivation Path allowing a user to derive hierarchical keys for Layer-2 solutions depending on the zk-technology, the application, the users Layer-1 address, as well as an efficient grinding method to enforce the private key distribution within the curve domain. The propose Derivation Path is defined as follow
```
m / purpose' / layer' / application' / eth_address_1' / eth_address_2' / index
```
## Motivation
In the context of Computation Integrity Proof (CIP) Layer-2 solutions such as ZK-Rollups, users are required to sign messages on new elliptic curves optimized for those environnements. Extensive work has been done to make it secure on Bitcoin via [BIP32](https://github.com/bitcoin/bips/blob/master/bip-0032.mediawiki), [BIP39](https://github.com/bitcoin/bips/blob/master/bip-0039.mediawiki) and [BIP44](https://github.com/bitcoin/bips/blob/master/bip-0044.mediawiki). These protocols are the standard for wallets in the entire industry, independent of the underlying blockchain. As Layer-2 solutions are taking off, it is a necessary requirement to maintain the same standard and security in this new space.
## Specification
Starkware keys are derived with the following [BIP43](https://github.com/bitcoin/bips/blob/master/bip-0043.mediawiki)-compatible derivation path, with direct inspiration from [BIP44](https://github.com/bitcoin/bips/blob/master/bip-0044.mediawiki):
```
m / purpose' / layer' / application' / eth_address_1' / eth_address_2' / index
```
where:
* `m` - the seed.
* `purpose` - `2645` (the number of this EIP).
* `layer` - the 31 lowest bits of sha256 on the layer name. Serve as a domain separator between different technologies. In the context of `starkex`, the value would be `579218131`.
* `application` - the 31 lowest bits of sha256 of the application name. Serve as a domain separator between different applications. In the context of DeversiFi in June 2020, it is the 31 lowest bits of sha256(starkexdvf) and the value would be `1393043894`.
* `eth_address_1 / eth_address_2` - the first and second 31 lowest bits of the corresponding eth_address.
* `index` - to allow multiple keys per eth_address.
As example, the expected path for address 0x0000....0000 assuming seed `m` and index 0 in the context of DeversiFi in June 2020: `m/2645'/579218131'/1393043894'/0'/0'/0`
The key derivation should follow the following algorithm
```
N = 2**256
n = Layer2 curve order
path = stark derivation path
BIP32() = Official BIP-0032 derivation function on secp256k1
hash = SHA256
i = 0
root_key = BIP32(path)
while True:
key = hash(root_key|i)
if (key < (N - (N % n))):
return key % n
i++
```
This algorithm has been defined to maintain efficiency on existing restricted devices.
Nota Bene: At each round, the probability for a key to be greater than (N - (N % n)) is < 2^(-5).
## Rationale
This EIP specifies two aspects of keys derivation in the context of Hierarchical Wallets:
- Derivation Path
- Grinding Algorithm to enforce a uniform distribution over the elliptic curve.
The derivation path is defined to allow efficient keys separation based on technology and application while maintaining a 1-1 relation with the Layer-1 wallet. In such a way, losing EIP-2645 wallets falls back to losing the Layer-1 wallet.
## Backwards Compatibility
This standard complies with BIP43.
## Security Considerations
This EIP has been defined to maintain separation of keys while providing foolproof logic on key derivation.
## Copyright
Copyright and related rights waived via [CC0](../LICENSE.md).