search

safe-global / safe-modules

A collection of modules that can be used with the Safe contract
GNU Lesser General Public License v3.0
150 stars 74 forks source link

Experiment Using PRF Extension For Signer Key Material #249

Open nlordell opened 9 months ago

nlordell commented 9 months ago

Context / issue

One of the big downsides of Webauthn is that most devices only support curves that are non-EVM native (P-256, RSA, Ed25519 to name the common ones). This means that, at least until EIP-7212 lands, ECDSA signature verification needs to be implemented in Solidity which adds ~300k gas overhead when verifying signatures.

There is a pseudo-random function extension (PRF) that allows credentials to provide additional 32-byte key material for use in the client. The use case for the extension, for example, request a credential when logging in with some additional key material, and then use this key material to decode some local storage data. However, this can also be used as key material to generate secp256k1 private keys for signing transactions.

Proposed solution

On account creation:

  1. Create the credential and request prf with a fixed first salt parameter
  2. Use the generate 32-byte key material as an HD wallet seed
  3. Compute the address of an account at a fixed HD wallet path (the default one for example, or a special index, etc.)
  4. Use the account as regular EOA owner to the Safe
  5. Discard the key material (ensuring it is only ever used ephemerally)

On transaction signing:

  1. Request the credential created :point_up: with prf and the same fixed first salt parameter
  2. Use the generate 32-byte key material as an HD wallet seed
  3. Sign the Safe transaction with the account with the same HD wallet path used during account creation
  4. Discard the key material (ensuring it is only ever used ephemerally)

Alternatives

Note that in the proposed solution, we always discard the key material right awayt after using it. If we want to provide a more "login once, sign many times" experience, we can even store the key material per session, and then not require an authenticator (i.e. device like iPhone) interaction per signature.

ennioVisco commented 9 months ago

which adds ~300k gas overhead when verifying signatures.

This doesn't sound right, as in current prices it would mean ~746 ETH

mmv08 commented 9 months ago

which adds ~300k gas overhead when verifying signatures.

This doesn't sound right, as in current prices it would mean ~746 ETH

300000 gas units * 32 gwei (current gas price) = 0,0096 ether, which is 22 USD with the current prices for just verifying a signature.