Can I use a BLS12-381 private key to sign Ethereum transactions

cryptographyprivate-keysecp256k1signaturetransactions

I'm new to cryptography and I've recently been studying BLS signatures. Please forgive me if I make any mistakes while writing.

I've tried generating a BLS key pair and using the private key to derive an Ethereum account and sign on-chain transactions. I used the 'mattrglobal' library to generate the BLS keys, and then passed the private key to the 'ethereumjs-wallet' library to derive an account.

const {
  generateBls12381G2KeyPair,
} = require("@mattrglobal/node-bbs-signatures");

const {
  default: { fromPrivateKey },
} = require("ethereumjs-wallet");

const keyPairTest = (async function () {

  const keyPair = await generateBls12381G2KeyPair();

  const wallet = fromPrivateKey(Buffer.from(keyPair.secretKey));

  console.log(`secretKey: ${Buffer.from(keyPair.secretKey).toString("hex")}`);
  console.log(`ethereum address: ${wallet.getAddressString()}`);

})();

Even though I was able to derive an Ethereum public key, I didn't expect to be able to sign valid Ethereum transactions, because I thought that the different curve parameters would prevent me from generating valid signatures for the transactions.

However, by directly using the private key on MetaMask (on the Sepolia testnet), I was able to perform a simple fund transfer transaction and deploy a smart contract.

How is this possible? Am I overlooking something?

It seems to me that it is generally not recommended to use the same key for two different types of signatures, is that correct?

Best Answer

Can I use a BLS12-381 private key to sign Ethereum transactions

Short answer: yes.

Why is this possible? Because the space in which the private keys live for BLS signatures on BLS12-381 is smaller than that in which keys for ECDSA over secp256k1 live.

Breaking it down

If we follow the code from generateBls12381G2KeyPair function we see that it uses gen_sk to generate the private key, which creates a random element of the field GF(r) where r is the prime order of the groups in the pairing construction for BLS12-381 (the private key is essentially a random number in the range [0,r-1]).

On the other hand, if we follow the code from fromPrivateKey we see that the private key for Ethereum must be in the range [0,n] where n is the order of the elliptic curve group for secp256k1.

Comparing the 2 numbers we see that clearly n>r so the validation checks in fromPrivateKey will pass.

r = 52435875175126190479447740508185965837690552500527637822603658699938581184513
n = 115792089237316195423570985008687907852837564279074904382605163141518161494337

It seems to me that it is generally not recommended to use the same key for two different types of signatures, is that correct?

I wouldn't recommend it because (AFAIK) there is no explicit security proof showing that one cannot use BLS & ECDSA signatures generated using the same private key to do things like forge new signatures or learn information about the private key. Having said that however, there is also no known way to do such attacks (again, AFAIK) so it's not publicly broken.

Related Solutions

[Ethereum] EthereumJS: How to get public key from private key

ethereumjs-wallet can be used to get public key from private key:

> const hdkey = require('ethereumjs-wallet/hdkey')
> const privateKey = hdkey.fromMasterSeed('random')._hdkey._privateKey
> const Wallet = require('ethereumjs-wallet')
> const wallet = Wallet.fromPrivateKey(privateKey)
> wallet.getPublicKeyString()
'0x11f2b30c9479ccaa639962e943ca7cfd3498705258ddb49dfe25bba00a555e48cb35a79f3d084ce26dbac0e6bb887463774817cb80e89b20c0990bc47f9075d5'
> wallet.getPublicKey()
<Buffer 11 f2 b3 0c 94 79 cc aa 63 99 62 e9 43 ca 7c fd 34 98 70 52 58 dd b4 9d fe 25 bb a0 0a 55 5e 48 cb 35 a7 9f 3d 08 4c e2 6d ba c0 e6 bb 88 74 63 77 48 ... >

Another option is to use ethereumjs-util (which is used by ethereumjs-wallet internally):

> const util = require('ethereumjs-util')
> util.privateToPublic(privateKey)
<Buffer 11 f2 b3 0c 94 79 cc aa 63 99 62 e9 43 ca 7c fd 34 98 70 52 58 dd b4 9d fe 25 bb a0 0a 55 5e 48 cb 35 a7 9f 3d 08 4c e2 6d ba c0 e6 bb 88 74 63 77 48 ... >

Yet another option is secp256k1:

> const secp256k1 = require('secp256k1')
> secp256k1.publicKeyCreate(privateKey, false).slice(1)
<Buffer 11 f2 b3 0c 94 79 cc aa 63 99 62 e9 43 ca 7c fd 34 98 70 52 58 dd b4 9d fe 25 bb a0 0a 55 5e 48 cb 35 a7 9f 3d 08 4c e2 6d ba c0 e6 bb 88 74 63 77 48 ... >

slice(1) is to drop type byte which is hardcoded as 04 ethereum.

[Ethereum] Extended private key vs private key

You don't sign the transaction with the Master Private Key. You sign it with the private key that corresponds to the sender's address:

const hdkey = require('ethereumjs-wallet/hdkey');
const bip39 = require('bip39');
var seed = bip39.mnemonicToSeed('my_mnemonic', 'my_password');
var chain = hdkey.fromMasterSeed(seed);
var addr_node = chain.derivePath(senders_derivation_path);
//if addr is the same with the address you want to send from, then its corresponding private_key will also be valid. Otherwise, most probably the senders_derivation_path is wrong
var addr = addr_node.getWallet().getAddressString();
var private_key = addr_node.getWallet().getPrivateKey();

Best Answer

Breaking it down

Related Solutions

[Ethereum] EthereumJS: How to get public key from private key

[Ethereum] Extended private key vs private key

Related Topic