SRI - Research options for clients to generate, store and utilize EDDSA key pairs

[ognjenkurtic]

Overview

We need to understand what options are there for the future users of the BPI to manage EDDSA keys for two use-cases:

1. Login to the BPI (Auth)
2. Signing the tx payload

It might be that we need to build a simple UI where we provide option to sign a custom JSON with the user inputed private key.

Reference

• Any simple option where the client uses a tool available through the OS?
• Use Metamask as a base (Your ECDSA private key + the hash of the ECDSA public key) to generate EDDSA key pair which is stored in local storage?
• Build our own solution based on Ethers.js?
• ...

Acceptance

• research documented with a clear set of action items\implementation issues

Tasks

• Do it

[Therecanbeonlyone1969]

@ognjenkurtic the steps with Metamask are:

1. get pubkey_owner from accounts in MM through API
2. `message = keccack256(pubKey_owner)'
3. call the MM signing function API with the message as payload and the target account to use
4. API returns signature
5. Convert hex signature into Bigint number
6. That is the EdDSA privkey
7. Then generate the EdDSA pubkey from privkey using circom crypto library
8. Then use circom crypto library to create EdDSA signatures with privkey

@biscuitdey Did I forget anything?

[biscuitdey]

@ognjenkurtic the steps with Metamask are:

1. get pubkey_owner from accounts in MM through API
2. `message = keccack256(pubKey_owner)'
3. call the MM signing function API with the message as payload and the target account to use
4. API returns signature
5. Convert hex signature into Bigint number
6. That is the EdDSA privkey
7. Then generate the EdDSA pubkey from privkey using circom crypto library
8. Then use circom crypto library to create EdDSA signatures with privkey

@biscuitdey Did I forget anything?

@Therecanbeonlyone1969

Looks good! Takes care of the problem of storing private keys.

[fleischr]

Some pointers on how BRI-1 does this with Vault

Key creation:
https://docs.provide.technology/api/rest-api-v1/vault/keys/creating-a-key

Signing verification:
https://docs.provide.technology/api/rest-api-v1/vault/keys/signing-and-verifying

Keys are held in encrypted storage at the behalf of the organization - though the individual given enterprise/DID user is permitted access to use them

Implementation is catered moreso to enterprise backend services than crypto wallets like Metamask

Early january I can provide a demo

[fleischr]

Similar API to BRI-1's Vault

https://docs.turnkey.com/api

[biscuitdey]

Some pointers on how BRI-1 does this with Vault

Key creation: https://docs.provide.technology/api/rest-api-v1/vault/keys/creating-a-key

Signing verification: https://docs.provide.technology/api/rest-api-v1/vault/keys/signing-and-verifying

Keys are held in encrypted storage at the behalf of the organization - though the individual given enterprise/DID user is permitted access to use them

Implementation is catered moreso to enterprise backend services than crypto wallets like Metamask

Early january I can provide a demo

@fleischr Thank you for the resources.
I am aware that BRI-1 uses Vault for key management. I did look into implementing Hashicorp's Vault but we wanted something simple to implement in this iteration. We are already using Metamask for login and needed some easy way to convert the Metamask ECDSA key into EDDSA key (within circuits). Metamask wallet is handling the key management.