SIP-27: BLS-12381 Encryption Key Management for Non Private Key Wallet #27
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,67 @@ | ||
| | SIP-Number | <Leave this blank; it will be assigned by a SIP Editor> | | ||
| | ---: | :--- | | ||
| | Title | BLS-12381 Encryption Key Management for Non Private Key Wallet | | ||
| | Description | Specify the key derivation logic for an encryption key server | | ||
| | Author | Joy Wang (@joyqvq, [email protected])| | ||
| | Editor | <Leave this blank; it will be assigned by a SIP Editor> | | ||
| | Type | Standard | | ||
| | Category | Wallet | | ||
| | Created | 2024-05-09 | | ||
| | Comments-URI | <Leave this blank; it will be assigned by a SIP Editor> | | ||
| | Status | <Leave this blank; it will be assigned by a SIP Editor> | | ||
| | Requires | <Optional; SIP number(s), comma separated> | | ||
|
|
||
| ## Abstract | ||
|
|
||
| While it is proposed in SIP-TODO for a derivation path from a master private key, there are many use cases that a master private key is not available, such as zkLogin wallet and Multisig wallet. Here we propose a key server example on how an encryption key can be derived from a server master encryption seed based on a unique user identifier as an alternative custodial solution to encryption key management. | ||
|
|
||
| ## Motivation | ||
|
|
||
| This SIP is proposed as a custodial encryption key derivation solution to address the gaps for SIP-TODO where the master private key is not available. | ||
|
|
||
| ## Specification | ||
|
|
||
| In many cases there is no available key material in the wallet to derive the encryption key. For example, [zkLogin wallet](https://docs.sui.io/concepts/cryptography/zklogin) does not store any persistent private key to be used for derivation. Multisig wallet also does not have a master private key since the signing operation happens within each individual wallet. | ||
|
|
||
| Here we define a recommended setup for a centralized key server with authentication that can derive and serve a persistent encryption key for each user. | ||
|
|
||
| 1. Server holds a master seed. | ||
| 2. Server defines an endpoint and an authentication scheme. The request contains an unique user ID and an application ID. | ||
| 3. The server validates and authenticate the request, then responds with an encryption key by deriving it from master seed with domain separator as `sub || app_id` using [HKDF](https://datatracker.ietf.org/doc/html/rfc5869). | ||
|
|
||
|
There was a problem hiding this comment. HKDF returns a random byte array - Let's say that the output of the HKDF is of length field size + 128 bit -> and the secret key is computed using modulo the field size. |
||
| With a key server, the user does not need to maintain any key material. Simply, the applications that require encryption feature, can run a centralized server where the master seed is stored securely. Upon authenticated request, it hands out unique encryption keys per user per application. | ||
|
|
||
| ## Rationale | ||
|
|
||
| This key server is designed for custodial use cases where the application does not wish the user to manage their own encryption key. | ||
|
|
||
| ## Backwards Compatibility | ||
|
|
||
| The encryption key server does not affect any existing wallet features and therefore does not introduce backward compatibility. | ||
|
|
||
| ## Test Cases | ||
|
|
||
| ``` | ||
| | Master Private Key | App ID | User ID | BLS-12381 Encryption Private Key (Hex) | BLS-1239 Encryption Public Key (Hex) | | ||
| | 0000000000000000000000000000000000000000000000000000000000000000 | example_app | 0 | 0748650a7902d2bb550add95a24dc4325bcfdde7d5fef13f14155aa9b7321474 | b673a8dceab62d1563b497a6c2554dd55c5cbd12232ab8e35159c5ec73ac47c5a9dbacfc5b9f5322018f26f37e3d1cb4 | | ||
| | 0000000000000000000000000000000000000000000000000000000000000000 | example_app | 1 | 6c55c62fdfa9035e09caae7b04083661abbd4841d2999823b816c9f59b56dcfd | 92013452cf3a732ed4e71f6d66793fb0a7136dfac5884faa18cabf08017a018bf4a45621c41c7ea524da6198dde021ba | | ||
| | 0000000000000000000000000000000000000000000000000000000000000000 | example_app | 2 | 2850a172853f62eee09f66f864ebfe1ecd6eb48cd093d7279f806105d9061b56 | 810d4afa734d252e995f36fdda2551fd58e496d567b6f67ff686096279052b10345e8158379770e72d4d9144e523e925 | | ||
| | 0000000000000000000000000000000000000000000000000000000000000000 | example_app_2 | 0 | 0ec8bec62b50548c43ec2650b9f7ea392a9e9609531b55f351c8ca40f7e5c6b7 | a2fd14de353deb20568347b6912a6c425e2a468f9fbd3684751f5abd3bf9ae91b57c19c4f1484e6f460396a043a30d96 | | ||
| | 2850a172853f62eee09f66f864ebfe1ecd6eb48cd093d7279f806105d9061b56 | example_app | 0 | 4ba7f11098c7cdb19f871cb15ced14c79ed15b0decb96848f1fc6a7abea9de25 | 863bdf441e2ec513c655113733a9e9ca387a1ac1ba267f46de2c9e82882ec7d5b04981de0def1aef51f5b36f43b19929 | | ||
| ``` | ||
|
|
||
| ## Reference Implementation | ||
|
|
||
| See implementation in Rust [in option 2](https://github.com/MystenLabs/encrypted-nft-poc/blob/main/cli/README.md#generate-and-derive-encryption-key). | ||
|
|
||
| ## Security Considerations | ||
|
|
||
| The master seed should be stored securely considering HSM or enclave solutions. Otherwise, the compromise of the master seed implies all encryption key derived are compromised. In addition, the response containing users' encryption key should be sent over a TLS channel that is established between the user front-end and the HSM. | ||
|
|
||
| The authentication mechanism should be designed to only serve encryption keys to users that are authenticated. Otherwise, anyone can request an encryption key on behalf of other users. An authentication scheme can be considered is [OpenID](https://openid.net/specs/openid-connect-core-1_0.html) where `sub` is used as user ID and `aud` is used as the app ID. | ||
|
|
||
| The key server should be domain separated by both `user_id || app_id` to avoid key collison. | ||
|
|
||
| ## Copyright | ||
|
|
||
| [CC0 1.0](../LICENSE.md). | ||
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Instead of "domain separator", let's use
HKDF(ikm=master key, info = sub | app_if)