HIP-632: Hedera Account Service (HAS) System Contract
Author | Nana Essilfie-Conduah, Luke Lee |
---|---|
Working Group | Danno Ferrin, Richard Bair, Ashe Oro, Atul Mahamuni, David Bakin |
Requested By | David Bakin <@david-bakin-sl> |
Discussions-To | https://github.com/hashgraph/hedera-improvement-proposal/discussions/638 |
Status | Accepted ⓘ |
Needs Council Approval | Yes ⓘ |
Review period ends ⓘ | Tue, 10 Jan 2023 07:00:00 +0000 |
Type | Standards Track ⓘ |
Category | Service ⓘ |
Created | 2022-11-28 |
Updated | 2024-09-13 |
Requires | 583 |
Table of Contents
Abstract
Hedera accounts have the capability to have a linked EVM address alias, an EVM address. In this way smart contracts can deal interact with Hedera accounts.
Accounts now have an organized presentation of different address formats that support historical formats and EVM equivalent formats. These addresses may be stored within smart contract state but their usefulness is limited without the ability to differentiate addresses.
These methods will be placed in the system contract for the Hedera Account Service (HAS
).
Motivation
Since the same account may be referred to with two different 20-byte identifiers (EVM address alias or Hedera account num alias), to avoid issues of loss of balance and permissions it is important that developers can distinguish between Hedera Account IDs and EVM addresses and translate easily between them.
Many smart contracts utilize ECRECOVER
as part of their authorization process in smart contracts.
However, this is limited to ECDSA
based signatures, which leaves accounts that have ED25519
and complex key types, supported by Hedera,
unable to do similar authorization.
To provide good user experience and to allow Hedera users to enjoy additional feature benefits over EVM equivalanece, it is important to provide authorization options within smart contract for non-ECDSA keys.
Definitions
An account-num alias is the encoded form of a Hedera account ID’s num
field - an 8-byte number padded to an EVM 20-byte address by adding
12 bytes of 0
to the front of it.
An EVM address alias is an EVM address associated with a Hedera account ID.
- The Hedera account may be a “hollow” account.
Both aliases thus present as 20-byte Ethereum addresses.
See HIP-583 for a full description of account-num aliases and EVM address aliases.
- This HIP does not address HIP-583 key aliases.
Rationale
In smart contract executions the EVM will provide msg.sender
values as either an account-num alias or EVM address alias.
To support authorization flows that check addresses explicitly in smart contract code, the network should support smart contract distinguishing operations that allow smart contract to distinguish between the two forms.
Additionally, to support standard implicit checks the network should support system contract checks in a manner similar ECRECOVER
for easy developer support.
User stories
- As a developer I want to be able to distinguish between Hedera Account ID and aliases within a smart contract so I can resolve address mappings in balance, permission or similar scenarios.
- As a developer I want to be able to confirm account authorization within a contract using simple
ECDSA
/ED2519
key raw signatures as I would on Ethereum usingECRECOVER
. - As a developer I want to be able to confirm account authorization for
ECDSA
accounts within a contract without being limited toECRECOVER
. - As a developer I want to be able to confirm account authorization for accounts within a contract using protobuf signature maps in a similar fashion as I would on Ethereum using
ECRECOVER
.
Specification
A new system contract with functions to support address (Hedera Account ID and EVM address alias) mapping and authorization is proposed.
This will aid developers to support smart contract migration logic for cases where aliases are encountered.
Additionally, EVM developers, who were limited to ECRECOVER
authorization flows, will be able to expand
authorization checks to other key types.
HAS methods here can use EVM-styled 20-byte addresses which are either Hedera account num aliases or EVM address aliases.
-
In this document the word alias, by itself, means either kind of alias.
(n.b.: See HIP-583 for definitions of Hedera account num alias and EVM address alias. Hedera key aliases, defined there, are not supported by these methods.)
hash | signature | return | description |
---|---|---|---|
0xdea3d081 |
getEvmAddressAlias(address) | (ResponseCode, address) | given a Hedera Account ID (account num alias) returns the EVM address alias, if present |
0xbbf12d2e |
getHederaAccountNumAlias(address) | (ResponseCode, address) | given an alias returns the top level Hedera Account ID (as account num alias), if applicable |
0x308ef301 |
isValidAlias(address) | bool | true if an account num alias or evm address alias), false if non existing account |
0xb2526367 |
isAuthorized(address, bytes /*message*/, bytes /*signatureBlob*/) | (ResponseCode, bool) | true if account (named by an alias) is authorized to carry out transaction execution on account. Accepts protobuf key signature blobs. May be used for ECDSA, ED25519 and complex key flows |
0xb2a31da4 |
isAuthorizedRaw(address, bytes /*messageHash*/, bytes /*signatureBlob*/) | bool | true if account (named by an alias) is authorized to carry out transaction execution on account. Accepts single key raw signature blobs (ECDSA and ED25519). This provides similar logic to ECRECOVER. |
isAuthorizedRaw(address, messageHash, signatureBlob)
Function Usage
This function is similar to using the ECRECOVER precompile function. Ethereum uses the secp256k1 curve to produce signatures which are 65 bytes in length (length of v = 1 byte and length of r and s = 32 bytes each). ED25519 signatures are 64 bytes in length. The address given is an alias. The appropriate message hash for the key type is given.
The isAuthorizedRaw
function call will perform the following steps to determine its result:
- If not a Hedera account-num alias then return the result of
isValidAlias
. Otherwise (an EVM address alias): - If the length of the signatureBlob is 65 bytes in length (EC signature):
- Extract v, r and s and run
ECRECOVER(messageHash, v, r, s)
. If the alias is an EVM address alias: Returntrue
iff the recovered address is the alias. If the alias is a Hedera account-num id: Returntrue
if the result matches the alias on the account or if the account has a single primitive EC key thentrue
if the result matches the address derived from that public key.
- Extract v, r and s and run
- Otherwise, if length of signatureBlob is 64 bytes in length (ED signature):
- Retrieve the Hedera address from the EVM address alias; if there is none return
false
. Determine if there is a single primitive ED key associated with the Hedera Account ID. If not return false. - If there is a single key, verify that the signature (the signatureBlob) signs the message hash and is attested by the account.
- Retrieve the Hedera address from the EVM address alias; if there is none return
Calls to this method incur additional gas charges corresponding to the resource cost of validating a signature.
isAuthorized(address, message, signatureBlob)
Function Usage
This function is used for Hedera account (non Ethereum) signature validation. It handles the more complex signature types
which are available with Hedera accounts. One or more signatures will be encoded in protobuf format into the signatureBlob.
The message that the signatures are for is given.
The precompile function will look up the keys for the account and determine if the signatures passed in via the signatureBlob satisfy the signing requirements for the account. For example, if the account has a threshold key of needing 3 out of 4 signatures, the precompile function will validate signature against the message with each key on the account and determine if at least 3 signatures in the signatureBlob matches.
Calls to this method incur additional gas charges corresponding to the resource cost of validating a signature, plus the (variable) cost of doing a cryptographic hash on the message.
The signatureBlob could be limited to encoding the following protobuf schema definitions:
message SignatureMap {
/**
* Each signature pair corresponds to a unique Key required to sign the transaction.
*/
repeated SignaturePair sigPair = 1;
}
message SignaturePair {
/**
* First few bytes of the public key
*/
bytes pubKeyPrefix = 1;
oneof signature {
/**
* smart contract virtual signature (always length zero)
*/
bytes contract = 2;
/**
* ed25519 signature
*/
bytes ed25519 = 3;
/**
* RSA-3072 signature
*/
bytes RSA_3072 = 4;
/**
* ECDSA p-384 signature
*/
bytes ECDSA_384 = 5;
/**
* ECDSA(secp256k1) signature
*/
bytes ECDSA_secp256k1 = 6;
}
}
(This method does not support ECDSA p-384 signatures or RSA signatures).
Notes
isAuthorized
takes a message, not a message hash: This is because a complex key might include both EC and ED keys, and EC and ED signatures use different cryptographic hashes.
Backwards Compatibility
This functionality is newly proposed and thus does not overwrite or alter existing functionality.
Security Implications
The ledger and the EVM maintain their authorization capabilities. In fact, it may be argued security is enhanced by the precompile support for contracts to verify both raw and protocol formatted signatures.
As always users and developers are responsible for key hygiene and proper storage of keys.
How to Teach This
Give example of using each function in context to show how they can be used to duplicate and enhance existing functionality available in Ethereum.
Reference Implementation
(New) Response Codes That Can Be Returned
INVALID_ARGUMENT_TO_SYSTEM_CONTRACT_METHOD
- an argument to a system contract method is invalid (e.g., byte array of wrong length)ACCOUNT_MUST_HAVE_KEY
- account specified must have a keyACCOUNT_MUST_HAVE_PRIMITIVE_KEY
- account specified must have a primitive key, i.e., not a threshold key or keylist
Rejected Ideas
- There’s no way to have an
EDRECOVER
similar toECRECOVER
in returning an address rather than abool
because you can’t actually get back the address from an ED25519 signature, the wayECRECOVER
can.
Open Issues
References
- HIP-583 “Expand alias support in CryptoCreate & CryptoTransfer Transactions”
- ECRECOVER Precompiled Contract
- Ethereum Yellow Paper
- Protobuf restrictions for Hedera Precompile methods
Copyright/license
This document is licensed under the Apache License, Version 2.0 – see LICENSE or (https://www.apache.org/licenses/LICENSE-2.0)
Citation
Please cite this document as: