crypto: use SLIP10 for ed25519 key derivation for ts and cli #4524

joyqvq · 2022-09-08T15:48:40Z

Ed25519 follows SLIP-0010 using hardened path with purpose = 44: m/44'/784'/{account_index}'/{change_index}'/{address_index}'

Secp256k1 follows BIP-32 using path where the first 3 levels are hardened with purpose = 54: m/54'/784'/{account_index}'/{change_index}/{address_index}

added test cases such that ts and cli are in parity for both schemes.
verified importing the generated phrase is the same

target/debug/sui client                                                                                                                                                                                                                                                                                           Config file ["/Users/joy/.sui/sui_config/client.yaml"] doesn't exist, do you want to connect to a Sui RPC server [yN]?y
Sui RPC server Url (Default to Sui DevNet if not specified) :
Select key scheme to generate keypair (0 for ed25519, 1 for secp256k1):
0
Generated new keypair for address with scheme "ed25519" [0x98421d59a34f458b224cc86a4b4684ada2018dde]
Secret Recovery Phrase : [sick pact rapid trial chaos tube remain fringe actual clog machine bulb]

target/debug/sui keytool import "sick pact rapid trial chaos tube remain fringe actual clog machine bulb" ed25519 "m/44'/784'/0'/0'/0'" 
2022-09-13T20:34:31.672453Z  INFO sui::keytool: Key imported for address [0x98421d59a34f458b224cc86a4b4684ada2018dde]

target/debug/sui client new-address secp256k1 "m/54'/784'/0'/0/1"
Created new keypair for address with scheme Secp256k1: [0x713f7b94802d829c920a1c4c9ccbac8669205eb5]
Secret Recovery Phrase : [reveal confirm foot shock vacant adult melody category shy deposit hard pig]

target/debug/sui keytool import "reveal confirm foot shock vacant adult melody category shy deposit hard pig" secp256k1 "m/54'/784'/0'/0/1"
2022-09-13T20:37:06.849647Z  INFO sui::keytool: Key imported for address [0x713f7b94802d829c920a1c4c9ccbac8669205eb5]

crates/sui-sdk/Cargo.toml

crates/sui-types/src/crypto.rs

joyqvq · 2022-09-08T15:58:16Z

wallet/src/shared/cryptography/mnemonics.ts

@@ -22,12 +22,16 @@ export function generateMnemonic(): string {
 }

 /**
- * Derive public key and private key from the Mnemonics
+ * Get public key and private key from the Mnemonics
 * @param mnemonics a 12-word seed phrase
 * @returns public key and private key
 */
 export function getKeypairFromMnemonics(mnemonics: string): Ed25519KeypairData {


we can try deprecate this method if the wallet team approves. we should always derive the key using SLIP-0010 (maybe with the default path to begin with)

We're trying to move to a multi-account setup in the wallet in the future, so I'd be in favor of deprecating this method to start preparing for that.

crates/sui-sdk/src/crypto.rs

joyqvq · 2022-09-08T20:21:23Z

crates/sui-sdk/tests/tests.rs

@@ -31,9 +31,8 @@ fn mnemonic_test() {
 /// This test confirms rust's implementation of mnemonic is the same with the Sui Wallet
 #[test]
 fn sui_wallet_address_mnemonic_test() -> Result<(), anyhow::Error> {


in a follow up pr, this test can be merged with keytool_test (this test class can be deprecated)

joyqvq · 2022-09-08T20:24:20Z

wallet/src/shared/cryptography/mnemonics.ts

 import nacl from 'tweetnacl';

-import type { Ed25519KeypairData } from '@mysten/sui.js';
+import type { Ed25519KeypairData, Secp256k1KeypairData } from '@mysten/sui.js';


the added the functions here is quite verbose to differentiate ed25519 vs secp256k1. this should really belong to the corresponding keypair file. will follow up a PR to move this class into sdk/typescript/cryptography

github-actions · 2022-09-13T20:20:23Z

💳 Wallet Extension has been built, you can download the packaged extension here: https://github.com/MystenLabs/sui/actions/runs/3079216656#artifacts

kchalkias · 2022-09-14T22:53:26Z

crates/sui-types/src/crypto.rs

@@ -478,6 +480,88 @@ where
 (kp.public().into(), kp)
 }

+/// Ed25519 follows SLIP-0010 using hardened path: m/44'/784'/0'/0'/{index}'
+/// Secp256k1 follows BIP-32 using path where the first 3 levels are hardened: m/54'/784'/0'/0/{index}
+/// Note that the purpose for Secp256k1 is registered as 54, to differentiate from Ed25519 with purpose 44.


kchalkias · 2022-09-14T22:53:55Z

crates/sui-types/src/crypto.rs

+/// Secp256k1 follows BIP-32 using path where the first 3 levels are hardened: m/54'/784'/0'/0/{index}
+/// Note that the purpose for Secp256k1 is registered as 54, to differentiate from Ed25519 with purpose 44.
+pub fn derive_key_pair_from_path(
+ seed: &[u8],


In a future PR let's have the seed as a distinct struct vs plain [u8]. Fine to merge as it is now; this will be a generic crypto refactoring.

kchalkias · 2022-09-14T22:54:39Z

crates/sui-types/src/crypto.rs

+ // The derivation path must be hardened at all levels with purpose = 44, coin_type = 784
+ if let &[purpose, coin_type, account, change, address] = p.as_ref() {
+ if purpose == ChildNumber::new(44, true).unwrap()
+ && coin_type == ChildNumber::new(784, true).unwrap()


I'd pin 784 and 44 as constants

kchalkias · 2022-09-14T22:55:14Z

crates/sui-types/src/crypto.rs

+ Some(p) => {
+ // The derivation path must be hardened at first 3 levels with purpose = 54, coin_type = 784
+ if let &[purpose, coin_type, account, change, address] = p.as_ref() {
+ if purpose == ChildNumber::new(54, true).unwrap()


ditto for 54, pin as const

5kbpers · 2022-09-16T17:26:43Z

crates/sui-types/src/crypto.rs

@@ -489,6 +494,106 @@ where
 (kp.public().into(), kp)
 }

+/// Ed25519 follows SLIP-0010 using hardened path: m/44'/784'/0'/0'/{index}'
+/// Secp256k1 follows BIP-32 using path where the first 3 levels are hardened: m/54'/784'/0'/0/{index}
+/// Note that the purpose for Secp256k1 is registered as 54, to differentiate from Ed25519 with purpose 44.


👀 I don't quite agree to use 54 for Secp256k1 if we follow bip44.

@5kbpers what do you suggest?

@kchalkias IMO just using 44 is fine, otherwise some developers may be confused that we did not follow the standard.

@5kbpers We need a way to distinguish between different key types. We realized other chains that support multiple schemes do that as well (usually for multi-sig), and we also picked 54 because there is no BIP54 (to avoid causing any confusion). Note that down the line Sui will support many key types and wallets should pick their favorite, but we need consistency on the deterministic derivation to allow for key (mnemonics) working with more than one vendors.

Ed25519 uses purpose as 44 and it would be the recommended signing scheme.
we want to explicitly use a different derivation path for each signature scheme, and purpose level would be the most appropriate to use.

while it's non-standard to use purpose 54 for bip44, it's used by other currencies such as bitcoin to signify different signature schemes using purpose as something else (https://github.com/trezor/trezor-firmware/blob/master/docs/misc/coins-bip44-paths.md#notes ) also eth2 BLS validator key derivation. (https://eips.ethereum.org/EIPS/eip-2334)

@joyqvq @kchalkias Thanks for your kind explanation! Understood what we were concerned about, now I think it looks good to me.

kchalkias

Awesome job and design decisions (i.e., using 54 for the ECDSA k1 path).
In the future, I want us to explore further if the mnemonics deps should stay in this repo or fastcrypto.