Add registration for hash-based-signing pubkeys to account-creation/account-update broadcast opps, and add registered hash-based pubkeys to output of get_accounts.
Context
I'm currently working on the CoinZdense project that aims to provide a set of hash-based-signing and least-authority sub-key-management for Web3 blockchains. The idea is that while ECDSA signing is quite safe right now, in the future, at some point in time, quantum computers will be large enough and have sufficient error-corrected qubits to derive an ECDSA private key from an ECDSA public key in polynomial time.
Here are the slides of the talk I did on the subject at HiveFest:
While actual use of hash-based signing key in HIVE might not be possible yet, it should be possible to implement a relatively simple feature for allowing hash-based-signing pubkeys to be registered similar to how today ECDSA pubkeys are registered for an account.
Disaster-recovery POC
Because the parameterization most suitable for HIVE is yet to be determined, derivation of alternate OWNER/ACTIVE/POSTING pubkeys from their private counterpart isn't possible yet. What is possible though is the registration of a simple one-time-signing pubkey meant specifically for disaster recovery. That is: For a one-time registration of the alternate OWNER/ACTIVE/POSTING pubkeys in the case that hash-based signing comes to late and needs to be implemented in a disaster recovery way.
Two post about the subject, and the proof of concept code:
The proof of concept code currently uses json_metadata to post a disaster recovery key, that for example looks something like this:
{
"profile": {
"profile_image": "https://t3.ftcdn.net/jpg/01/09/63/86/240_F_109638617_MTmUkqTFyRxRmPGEko7cTngrIGQHwVX9.jpg",
"name": "The Croupier Bot",
...
},
"coinzdense_disaster_recovery": {
"key": "QRKyifYKWzhpufRaCThVYtgWCj9TDW4qwGaH8YSgE",
"sig": "QH1SwjKoqPUZGgz9RqaBvFJMuakpBY1ywRCJKsnTHysLxgqWo9eXxZayMaRtiuDNsWeDKQVJX9NUzt8uKnuE7o4oBuxaDrq5Sv"
}
}
The use of json_metadata is OK for a Proof-Of-Concept, but towards the future and a solid implementation, treating both One-Time hash-based recovery keys and multi-level hash-based replacements for the ECDSA pubkeys for OWNER/ACTIVE/POSTING in a way similar to the way the in-use OWNER/ACTIVE/POSTING pubkeys are used right now seems like the proper way forward.
Registration of hash-based-signing pubkeys
I propose the addition of a new field, plus the addition of a field to any "owner", "active" or "posting" object within, to the following broadcast opps:
- account_create
- create_claimed_account
- account_update
The proposed new field would be called recovery and will get the exact same structure as the "owner", "active" or "posting" object.
Each of the now four fields would get the additional field "hb_key_auths", structured the same as "key_auths", but containing the hash-based pubkey instead of the ECDSA pubkey.
All of these would for now have to be optional fields.
An example with create_claimed_account:
[
"create_claimed_account",
{
"creator": "hiveio",
"new_account_name": "alice",
"owner": {
"weight_threshold": 1,
"account_auths": [],
"key_auths": [
[
"STM5b4i9gBqvh4sbgrooXPu2dbGLewNPZkXeuNeBjyiswnu2szgXx",
1
]
],
"hb_key_auths": [
[
"CZD23Szwf22GgCiwT6su9BaJ5ZaABEuySn5wf8U7aY",
1
]
]
},
"active": {
"weight_threshold": 1,
"account_auths": [],
"key_auths": [
[
"STM7ko5nzqaYfjbD4tKWGmiy3xtT9eQFZ3Pcmq5JmygTRptWSiVQy",
1
]
],
"hb_key_auths": [
[
"CZDsmQCJLCXUG2m1QQAXX2J68QJzDpJRY6NBtxU79",
1
]
]
},
"posting": {
"weight_threshold": 1,
"account_auths": [],
"key_auths": [
[
"STM5xAKxnMT2y9VoVJdF63K8xRQAohsiQy9bA33aHeyMB5vgkzaay",
1
]
],
"hb_key_auths": [
[
"CZDKsS3Ta1UoPNFFVZn5r2yC8qcJhUJr5UoXtEKwi",
1
]
]
},
"recovery" : {
"weight_threshold": 1,
"account_auths": [],
"key_auths": [],
"hb_key_auths": [
[
"QRKyifYKWzhpufRaCThVYtgWCj9TDW4qwGaH8YSgE",
1
]
]
},
"memo_key": "STM8ZSyzjPm48GmUuMSRufkVYkwYbZzbxeMysAVp7KFQwbTf98TcG",
"json_metadata": "{}"
}
]
Adding hash-based-signing pubkeys to output of get_accounts.
As a mirror image to the above change, the same info added in the above should be returned in a get_accounts request. That is, the aditional "recovery" should be returned, and for each of the keys "owner", "active", "posting" and "recovery", the extra field "hb_key_auths" should be returned.