From df6414d040e7a4909f7532960f654bbbf897922b Mon Sep 17 00:00:00 2001 From: Sunny Aggarwal Date: Thu, 8 Oct 2020 20:47:05 -0400 Subject: [PATCH 01/16] adr --- docs/architecture/adr-032-change-pubkey.md | 81 ++++++++++++++++++++++ 1 file changed, 81 insertions(+) create mode 100644 docs/architecture/adr-032-change-pubkey.md diff --git a/docs/architecture/adr-032-change-pubkey.md b/docs/architecture/adr-032-change-pubkey.md new file mode 100644 index 0000000000..bc20b34396 --- /dev/null +++ b/docs/architecture/adr-032-change-pubkey.md @@ -0,0 +1,81 @@ +# ADR 032: Change PubKey + +## Changelog + +- 30-09-2020: Initial Draft + +## Status + +Proposed + +## Context + +Currently, in the Cosmos SDK, the address of an auth account is always based on the hash of the public key. Once an account is created, the public key for the account is set in stone, and cannot be changed. This can be a problem for users, as key rotation is a useful security practice, but is not possible currently. Furthermore, as multisigs are a type of pubkey, once a multisig for an account is set, it can not be updated. This is problematic, as multisigs are often used by organizations or companies, who may need to change their set of multisig signers for internal reasons. + +Transferring all the assets of an account to a new account with the updated pubkey is not sufficient, because some "engagements" of an account are not easily transferable. For example, in staking, to transfer bonded Atoms, an account would have to unbond all delegations and wait the three week unbonding period. Even more significantly, for validator operators, ownership over a validator is not transferrable at all, meaning that the operator key for a validator can never be updated, leading to poor operational security for validators. + +## Decision + +We propose the creation of a new feature called `changepubkey` that is an extension to `auth` that allows accounts to update the public key associated with their account, while keeping the address the same. + +This is possible because the Cosmos SDK `StdAccount` stores the public key for an account in state, instead of making the assumption that the public key is included in the transaction (whether explicitly or implicitly through the signature) as in other blockchains such as Bitcoin and Ethereum. Because the public key is stored on chain, it is okay for the public key to not hash to the address of an account, as the address is not pertinent to the signature checking process. + +To build this system, we design a new Msg type as follows: + +```protobuf +message MsgChangePubKey { + bytes address = 1 [ + (gogoproto.casttype) = "github.com/cosmos/cosmos-sdk/types.AccAddress" + ]; + bytes pub_key = 2 [ + (gogoproto.jsontag) = "public_key,omitempty", (gogoproto.moretags) = "yaml:\"public_key\"" + ]; +} +``` + +As an example, account pubkey change message can be defined as follows. + +```json +{ + "type": "cosmos-sdk/StdTx", + "value": { + "address": "cosmos1wf5h7meplxu3sc6rk2agavkdsmlsen7rgsasxk", + "public_key": "cosmospub1addwnpepqdszcr95mrqqs8lw099aa9h8h906zmet22pmwe9vquzcgvnm93eqygufdlv" + }, + "signature": "a9n7pIqCUuYJTCm7ZBv1cqqlM3uYyX/7SnaSXA8zrG0CBWP6p55pTFFHYn39tVvFtRbGE7gXF1qCiaOilJ8NtQ==" +} +``` + +Here, the signature is signed for the public key thats current in-state for account `cosmos1wf5h7meplxu3sc6rk2agavkdsmlsen7rgsasxk`, as normally done in the ante-handler. + +Once, approved, the handler for this message type, which takes in the AccountKeeper, will update the in-state pubkey for the account and replace it with the pubkey from the Msg. + +Because an account can no longer be pruned from state once its pubkey has changed, we can charge an additional gas fee for this operation to compensate for this this externality (this bound gas amount is configured as parameter `PubKeyChangeCost`). The bonus gas is charged inside handler, using the `ConsumeGas` function. + +```go + amount := ak.GetParams(ctx).PubKeyChangeCost + ctx.GasMeter().ConsumeGas(amount, "pubkey change fee") +``` + + +## Consequences + +### Positive + +* Will allow users and validator operators to employ better operational security practices with key rotation. +* Will allow organizations or groups to easily change and add/remove multisig signers. + +### Negative + +Breaks the current assumed relationship between address and pubkeys as H(pubkey) = address. This has a couple of consequences. + +* We cannot prune accounts with 0 balance that have had their pubkey changed (we currently do not currently do this anyways, but the reason we have account numbers is presumably for this purpose). +* This makes wallets that support this feature more complicated. For example, if an address on chain was updated, the corresponding key in the CLI wallet also needs to be updated. + +### Neutral + +* While the purpose of this is intended to allow the owner of an account to update to a new pubkey they own, this could technically also be used to transfer ownership of an account to a new owner. For example, this could be use used to sell a staked position without unbonding or an account that has vesting tokens. However, the friction of this is very high as this would essentially have to be done as a very specific OTC trade. Furthermore, additional constraints could be added to prevent accouns with Vesting tokens to use this feature. +* Will require that PubKeys for an account are included in the genesis exports. + +## References + From 2affa79c0ab438a2ed538aef013eb8e58247e1b7 Mon Sep 17 00:00:00 2001 From: Sunny Aggarwal Date: Tue, 13 Oct 2020 10:13:30 -0400 Subject: [PATCH 02/16] adr 32 -> 34 --- .../{adr-032-change-pubkey.md => adr-034-change-pubkey.md} | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) rename docs/architecture/{adr-032-change-pubkey.md => adr-034-change-pubkey.md} (99%) diff --git a/docs/architecture/adr-032-change-pubkey.md b/docs/architecture/adr-034-change-pubkey.md similarity index 99% rename from docs/architecture/adr-032-change-pubkey.md rename to docs/architecture/adr-034-change-pubkey.md index bc20b34396..54597a9ba5 100644 --- a/docs/architecture/adr-032-change-pubkey.md +++ b/docs/architecture/adr-034-change-pubkey.md @@ -1,4 +1,4 @@ -# ADR 032: Change PubKey +# ADR 034: Change PubKey ## Changelog From 30c13ea5549b614d26c1b1d35ee5729863cf6de7 Mon Sep 17 00:00:00 2001 From: Sunny Aggarwal Date: Wed, 21 Oct 2020 15:37:40 -0400 Subject: [PATCH 03/16] Apply suggestions from code review Co-authored-by: Aaron Craelius --- docs/architecture/adr-034-change-pubkey.md | 11 +++-------- 1 file changed, 3 insertions(+), 8 deletions(-) diff --git a/docs/architecture/adr-034-change-pubkey.md b/docs/architecture/adr-034-change-pubkey.md index 54597a9ba5..25265e4f30 100644 --- a/docs/architecture/adr-034-change-pubkey.md +++ b/docs/architecture/adr-034-change-pubkey.md @@ -16,7 +16,7 @@ Transferring all the assets of an account to a new account with the updated pubk ## Decision -We propose the creation of a new feature called `changepubkey` that is an extension to `auth` that allows accounts to update the public key associated with their account, while keeping the address the same. +We propose the creation of a new feature to `x/auth` that allows accounts to update the public key associated with their account, while keeping the address the same. This is possible because the Cosmos SDK `StdAccount` stores the public key for an account in state, instead of making the assumption that the public key is included in the transaction (whether explicitly or implicitly through the signature) as in other blockchains such as Bitcoin and Ethereum. Because the public key is stored on chain, it is okay for the public key to not hash to the address of an account, as the address is not pertinent to the signature checking process. @@ -24,12 +24,8 @@ To build this system, we design a new Msg type as follows: ```protobuf message MsgChangePubKey { - bytes address = 1 [ - (gogoproto.casttype) = "github.com/cosmos/cosmos-sdk/types.AccAddress" - ]; - bytes pub_key = 2 [ - (gogoproto.jsontag) = "public_key,omitempty", (gogoproto.moretags) = "yaml:\"public_key\"" - ]; + string address = 1; + google.protobuf.Any pub_key = 2; } ``` @@ -78,4 +74,3 @@ Breaks the current assumed relationship between address and pubkeys as H(pubkey) * Will require that PubKeys for an account are included in the genesis exports. ## References - From cb99dbd413f6a3e9b7500f7a43a2d935a028cd3f Mon Sep 17 00:00:00 2001 From: Sunny Aggarwal Date: Wed, 21 Oct 2020 21:42:06 -0400 Subject: [PATCH 04/16] Apply suggestions from code review Co-authored-by: Aaron Craelius --- docs/architecture/adr-034-change-pubkey.md | 10 ---------- 1 file changed, 10 deletions(-) diff --git a/docs/architecture/adr-034-change-pubkey.md b/docs/architecture/adr-034-change-pubkey.md index 25265e4f30..ff262495ef 100644 --- a/docs/architecture/adr-034-change-pubkey.md +++ b/docs/architecture/adr-034-change-pubkey.md @@ -31,16 +31,6 @@ message MsgChangePubKey { As an example, account pubkey change message can be defined as follows. -```json -{ - "type": "cosmos-sdk/StdTx", - "value": { - "address": "cosmos1wf5h7meplxu3sc6rk2agavkdsmlsen7rgsasxk", - "public_key": "cosmospub1addwnpepqdszcr95mrqqs8lw099aa9h8h906zmet22pmwe9vquzcgvnm93eqygufdlv" - }, - "signature": "a9n7pIqCUuYJTCm7ZBv1cqqlM3uYyX/7SnaSXA8zrG0CBWP6p55pTFFHYn39tVvFtRbGE7gXF1qCiaOilJ8NtQ==" -} -``` Here, the signature is signed for the public key thats current in-state for account `cosmos1wf5h7meplxu3sc6rk2agavkdsmlsen7rgsasxk`, as normally done in the ante-handler. From 68ba5647a24be83bb008a6bebbbdf508f43e2cc7 Mon Sep 17 00:00:00 2001 From: Sunny Aggarwal Date: Wed, 21 Oct 2020 21:42:47 -0400 Subject: [PATCH 05/16] Update adr-034-change-pubkey.md --- docs/architecture/adr-034-change-pubkey.md | 5 +---- 1 file changed, 1 insertion(+), 4 deletions(-) diff --git a/docs/architecture/adr-034-change-pubkey.md b/docs/architecture/adr-034-change-pubkey.md index ff262495ef..75d69ac428 100644 --- a/docs/architecture/adr-034-change-pubkey.md +++ b/docs/architecture/adr-034-change-pubkey.md @@ -29,10 +29,7 @@ message MsgChangePubKey { } ``` -As an example, account pubkey change message can be defined as follows. - - -Here, the signature is signed for the public key thats current in-state for account `cosmos1wf5h7meplxu3sc6rk2agavkdsmlsen7rgsasxk`, as normally done in the ante-handler. +The MsgChangePubKey transaction needs to be signed by the existing pubkey in state. Once, approved, the handler for this message type, which takes in the AccountKeeper, will update the in-state pubkey for the account and replace it with the pubkey from the Msg. From 091c8350603e9778d6d8732e96e1e45a70d37252 Mon Sep 17 00:00:00 2001 From: Sunny Aggarwal Date: Wed, 21 Oct 2020 21:44:40 -0400 Subject: [PATCH 06/16] Update adr-034-change-pubkey.md --- docs/architecture/adr-034-change-pubkey.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/architecture/adr-034-change-pubkey.md b/docs/architecture/adr-034-change-pubkey.md index 75d69ac428..0eddf6a941 100644 --- a/docs/architecture/adr-034-change-pubkey.md +++ b/docs/architecture/adr-034-change-pubkey.md @@ -16,7 +16,7 @@ Transferring all the assets of an account to a new account with the updated pubk ## Decision -We propose the creation of a new feature to `x/auth` that allows accounts to update the public key associated with their account, while keeping the address the same. +We propose the creation of a new feature to `x/auth` that allows accounts to update the public key associated with their account, while keeping the address the same. This feature can be enabled using an `EnableChangePubKey` param. This is possible because the Cosmos SDK `StdAccount` stores the public key for an account in state, instead of making the assumption that the public key is included in the transaction (whether explicitly or implicitly through the signature) as in other blockchains such as Bitcoin and Ethereum. Because the public key is stored on chain, it is okay for the public key to not hash to the address of an account, as the address is not pertinent to the signature checking process. From c8c73a483a197b0eddd62a028ff8ee5cb97e7176 Mon Sep 17 00:00:00 2001 From: Sunny Aggarwal Date: Thu, 22 Oct 2020 12:00:16 -0400 Subject: [PATCH 07/16] Apply suggestions from code review Co-authored-by: Aaron Craelius --- docs/architecture/adr-034-change-pubkey.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/architecture/adr-034-change-pubkey.md b/docs/architecture/adr-034-change-pubkey.md index 0eddf6a941..73f9080a67 100644 --- a/docs/architecture/adr-034-change-pubkey.md +++ b/docs/architecture/adr-034-change-pubkey.md @@ -16,7 +16,7 @@ Transferring all the assets of an account to a new account with the updated pubk ## Decision -We propose the creation of a new feature to `x/auth` that allows accounts to update the public key associated with their account, while keeping the address the same. This feature can be enabled using an `EnableChangePubKey` param. +We propose the addition of a new feature to `x/auth` that allows accounts to update the public key associated with their account, while keeping the address the same. This feature can be enabled using an `EnableChangePubKey` param. This is possible because the Cosmos SDK `StdAccount` stores the public key for an account in state, instead of making the assumption that the public key is included in the transaction (whether explicitly or implicitly through the signature) as in other blockchains such as Bitcoin and Ethereum. Because the public key is stored on chain, it is okay for the public key to not hash to the address of an account, as the address is not pertinent to the signature checking process. @@ -33,7 +33,7 @@ The MsgChangePubKey transaction needs to be signed by the existing pubkey in sta Once, approved, the handler for this message type, which takes in the AccountKeeper, will update the in-state pubkey for the account and replace it with the pubkey from the Msg. -Because an account can no longer be pruned from state once its pubkey has changed, we can charge an additional gas fee for this operation to compensate for this this externality (this bound gas amount is configured as parameter `PubKeyChangeCost`). The bonus gas is charged inside handler, using the `ConsumeGas` function. +Because an account can no longer be pruned from state once its pubkey has changed, we can charge an additional gas fee for this operation to compensate for this this externality (this bound gas amount is configured as parameter `PubKeyChangeCost`). The bonus gas is charged inside the handler, using the `ConsumeGas` function. ```go amount := ak.GetParams(ctx).PubKeyChangeCost From 2ace2a738bb9c165a352f60fdc2a58aa517a0a98 Mon Sep 17 00:00:00 2001 From: Sunny Aggarwal Date: Wed, 28 Oct 2020 22:20:25 -0400 Subject: [PATCH 08/16] Update docs/architecture/adr-034-change-pubkey.md Co-authored-by: Amaury Martiny --- docs/architecture/adr-034-change-pubkey.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/architecture/adr-034-change-pubkey.md b/docs/architecture/adr-034-change-pubkey.md index 73f9080a67..880fe8543b 100644 --- a/docs/architecture/adr-034-change-pubkey.md +++ b/docs/architecture/adr-034-change-pubkey.md @@ -18,7 +18,7 @@ Transferring all the assets of an account to a new account with the updated pubk We propose the addition of a new feature to `x/auth` that allows accounts to update the public key associated with their account, while keeping the address the same. This feature can be enabled using an `EnableChangePubKey` param. -This is possible because the Cosmos SDK `StdAccount` stores the public key for an account in state, instead of making the assumption that the public key is included in the transaction (whether explicitly or implicitly through the signature) as in other blockchains such as Bitcoin and Ethereum. Because the public key is stored on chain, it is okay for the public key to not hash to the address of an account, as the address is not pertinent to the signature checking process. +This is possible because the Cosmos SDK `BaseAccount` stores the public key for an account in state, instead of making the assumption that the public key is included in the transaction (whether explicitly or implicitly through the signature) as in other blockchains such as Bitcoin and Ethereum. Because the public key is stored on chain, it is okay for the public key to not hash to the address of an account, as the address is not pertinent to the signature checking process. To build this system, we design a new Msg type as follows: From 6274240d7cade92e61676fa610dfe6b2e5c67c7e Mon Sep 17 00:00:00 2001 From: Sunny Aggarwal Date: Tue, 3 Nov 2020 15:55:16 -0400 Subject: [PATCH 09/16] Apply suggestions from code review Co-authored-by: Robert Zaremba --- docs/architecture/adr-034-change-pubkey.md | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/docs/architecture/adr-034-change-pubkey.md b/docs/architecture/adr-034-change-pubkey.md index 880fe8543b..15979759b5 100644 --- a/docs/architecture/adr-034-change-pubkey.md +++ b/docs/architecture/adr-034-change-pubkey.md @@ -10,7 +10,7 @@ Proposed ## Context -Currently, in the Cosmos SDK, the address of an auth account is always based on the hash of the public key. Once an account is created, the public key for the account is set in stone, and cannot be changed. This can be a problem for users, as key rotation is a useful security practice, but is not possible currently. Furthermore, as multisigs are a type of pubkey, once a multisig for an account is set, it can not be updated. This is problematic, as multisigs are often used by organizations or companies, who may need to change their set of multisig signers for internal reasons. +Currently, in the Cosmos SDK, the address of an auth `BaseAccount` is based on the hash of the public key. Once an account is created, the public key for the account is set in stone, and cannot be changed. This can be a problem for users, as key rotation is a useful security practice, but is not possible currently. Furthermore, as multisigs are a type of pubkey, once a multisig for an account is set, it can not be updated. This is problematic, as multisigs are often used by organizations or companies, who may need to change their set of multisig signers for internal reasons. Transferring all the assets of an account to a new account with the updated pubkey is not sufficient, because some "engagements" of an account are not easily transferable. For example, in staking, to transfer bonded Atoms, an account would have to unbond all delegations and wait the three week unbonding period. Even more significantly, for validator operators, ownership over a validator is not transferrable at all, meaning that the operator key for a validator can never be updated, leading to poor operational security for validators. @@ -61,3 +61,5 @@ Breaks the current assumed relationship between address and pubkeys as H(pubkey) * Will require that PubKeys for an account are included in the genesis exports. ## References + ++ https://www.algorand.com/resources/blog/announcing-rekeying From c4e5e292444e138b968fb27cfac4f1e6ee375bc3 Mon Sep 17 00:00:00 2001 From: Sunny Aggarwal Date: Fri, 6 Nov 2020 11:21:45 -0400 Subject: [PATCH 10/16] Update and rename adr-034-change-pubkey.md to adr-034-account-rekeying.md --- ...hange-pubkey.md => adr-034-account-rekeying.md} | 14 ++++++++++++-- 1 file changed, 12 insertions(+), 2 deletions(-) rename docs/architecture/{adr-034-change-pubkey.md => adr-034-account-rekeying.md} (93%) diff --git a/docs/architecture/adr-034-change-pubkey.md b/docs/architecture/adr-034-account-rekeying.md similarity index 93% rename from docs/architecture/adr-034-change-pubkey.md rename to docs/architecture/adr-034-account-rekeying.md index 15979759b5..0073d6f0a0 100644 --- a/docs/architecture/adr-034-change-pubkey.md +++ b/docs/architecture/adr-034-account-rekeying.md @@ -1,4 +1,4 @@ -# ADR 034: Change PubKey +# ADR 034: Account Rekying ## Changelog @@ -6,7 +6,11 @@ ## Status -Proposed +PROPOSED + +## Abstract + +Account rekeying is a process hat allows an account to replace its authentication pubkey with a new one. ## Context @@ -23,10 +27,16 @@ This is possible because the Cosmos SDK `BaseAccount` stores the public key for To build this system, we design a new Msg type as follows: ```protobuf +service Msg { + rpc ChangePubKey(MsgChangePubKey) returns (MsgChangePubKeyResponse); +} + message MsgChangePubKey { string address = 1; google.protobuf.Any pub_key = 2; } + +message MsgChangePubKeyResponse {} ``` The MsgChangePubKey transaction needs to be signed by the existing pubkey in state. From 53108e76373673a816655bcc47651be72e643268 Mon Sep 17 00:00:00 2001 From: Sunny Aggarwal Date: Fri, 6 Nov 2020 11:28:18 -0400 Subject: [PATCH 11/16] Update adr-034-account-rekeying.md --- docs/architecture/adr-034-account-rekeying.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/architecture/adr-034-account-rekeying.md b/docs/architecture/adr-034-account-rekeying.md index 0073d6f0a0..f51ab46728 100644 --- a/docs/architecture/adr-034-account-rekeying.md +++ b/docs/architecture/adr-034-account-rekeying.md @@ -1,4 +1,4 @@ -# ADR 034: Account Rekying +# ADR 034: Account Rekeying ## Changelog From 20617d0db4dedc0d77cbf774cacda0693430d7c8 Mon Sep 17 00:00:00 2001 From: Sunny Aggarwal Date: Mon, 23 Nov 2020 15:30:25 -0500 Subject: [PATCH 12/16] Update docs/architecture/adr-034-account-rekeying.md Co-authored-by: Robert Zaremba --- docs/architecture/adr-034-account-rekeying.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/architecture/adr-034-account-rekeying.md b/docs/architecture/adr-034-account-rekeying.md index f51ab46728..28e67e97fc 100644 --- a/docs/architecture/adr-034-account-rekeying.md +++ b/docs/architecture/adr-034-account-rekeying.md @@ -62,7 +62,7 @@ Because an account can no longer be pruned from state once its pubkey has change Breaks the current assumed relationship between address and pubkeys as H(pubkey) = address. This has a couple of consequences. -* We cannot prune accounts with 0 balance that have had their pubkey changed (we currently do not currently do this anyways, but the reason we have account numbers is presumably for this purpose). +* We cannot prune accounts with 0 balance that have had their pubkey changed. Currently, we do not prune accounts anyways, but the reason we have account numbers is presumably for this purpose. * This makes wallets that support this feature more complicated. For example, if an address on chain was updated, the corresponding key in the CLI wallet also needs to be updated. ### Neutral From 045e7874b05525d1d603b51f0061921ed19273e3 Mon Sep 17 00:00:00 2001 From: Sunny Aggarwal Date: Mon, 23 Nov 2020 15:33:40 -0500 Subject: [PATCH 13/16] Update adr-034-account-rekeying.md Add stack of past keys --- docs/architecture/adr-034-account-rekeying.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/docs/architecture/adr-034-account-rekeying.md b/docs/architecture/adr-034-account-rekeying.md index 28e67e97fc..cc7fc8530c 100644 --- a/docs/architecture/adr-034-account-rekeying.md +++ b/docs/architecture/adr-034-account-rekeying.md @@ -50,6 +50,8 @@ Because an account can no longer be pruned from state once its pubkey has change ctx.GasMeter().ConsumeGas(amount, "pubkey change fee") ``` +Everytime a key for an address is changed, we will store a log of this change in the state of the chain, thus creating a stack of all previous keys for an address and the time intervals for which they were active. This allows dapps and clients to easily query past keys for an account which may be useful for features such as verifying timestamped off-chain signed messages. + ## Consequences From 101d62a69d47ed21a85bd665fed42cbc3e59e3fb Mon Sep 17 00:00:00 2001 From: Sunny Aggarwal Date: Mon, 23 Nov 2020 15:47:55 -0500 Subject: [PATCH 14/16] Add details about pruning --- docs/architecture/adr-034-account-rekeying.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/docs/architecture/adr-034-account-rekeying.md b/docs/architecture/adr-034-account-rekeying.md index cc7fc8530c..9a08bf3067 100644 --- a/docs/architecture/adr-034-account-rekeying.md +++ b/docs/architecture/adr-034-account-rekeying.md @@ -64,8 +64,9 @@ Everytime a key for an address is changed, we will store a log of this change in Breaks the current assumed relationship between address and pubkeys as H(pubkey) = address. This has a couple of consequences. -* We cannot prune accounts with 0 balance that have had their pubkey changed. Currently, we do not prune accounts anyways, but the reason we have account numbers is presumably for this purpose. * This makes wallets that support this feature more complicated. For example, if an address on chain was updated, the corresponding key in the CLI wallet also needs to be updated. +* We cannot prune accounts with 0 balance that have had their pubkey changed. This is because if pruned, the original pubkey of the account would be needed to recreate the same address, but the owner of the address may not have the original pubkey anymore. Currently, we do not automatically prune accounts anyways, but the purpose of account numbers is to allow for this down the road. One way to allow accounts that have had their pubkeys changed is to allow their owners to manually prune their accounts using a new Msg type such as `MsgDeleteAccount`. Manually pruning accounts can give a gas refund as an incentive for performing the action. + ### Neutral From 972095e7faab7b438f72e12d3ed36754bc4f281f Mon Sep 17 00:00:00 2001 From: Sunny Aggarwal Date: Mon, 23 Nov 2020 15:52:47 -0500 Subject: [PATCH 15/16] pruning info --- docs/architecture/adr-034-account-rekeying.md | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/docs/architecture/adr-034-account-rekeying.md b/docs/architecture/adr-034-account-rekeying.md index 9a08bf3067..8dfcc9e668 100644 --- a/docs/architecture/adr-034-account-rekeying.md +++ b/docs/architecture/adr-034-account-rekeying.md @@ -43,13 +43,16 @@ The MsgChangePubKey transaction needs to be signed by the existing pubkey in sta Once, approved, the handler for this message type, which takes in the AccountKeeper, will update the in-state pubkey for the account and replace it with the pubkey from the Msg. -Because an account can no longer be pruned from state once its pubkey has changed, we can charge an additional gas fee for this operation to compensate for this this externality (this bound gas amount is configured as parameter `PubKeyChangeCost`). The bonus gas is charged inside the handler, using the `ConsumeGas` function. + +An account that has had its pubkey changed cannot be automatically pruned from state. This is because if pruned, the original pubkey of the account would be needed to recreate the same address, but the owner of the address may not have the original pubkey anymore. Currently, we do not automatically prune any accounts anyways, but we would like to keep this option open the road (this is the purpose of account numbers). To resolve this, we charge an additional gas fee for this operation to compensate for this this externality (this bound gas amount is configured as parameter `PubKeyChangeCost`). The bonus gas is charged inside the handler, using the `ConsumeGas` function. Furthermore, in the future, we can allow accounts that have rekeyed manually prune themselves using a new Msg type such as `MsgDeleteAccount`. Manually pruning accounts can give a gas refund as an incentive for performing the action. + ```go amount := ak.GetParams(ctx).PubKeyChangeCost ctx.GasMeter().ConsumeGas(amount, "pubkey change fee") ``` + Everytime a key for an address is changed, we will store a log of this change in the state of the chain, thus creating a stack of all previous keys for an address and the time intervals for which they were active. This allows dapps and clients to easily query past keys for an account which may be useful for features such as verifying timestamped off-chain signed messages. @@ -65,7 +68,7 @@ Everytime a key for an address is changed, we will store a log of this change in Breaks the current assumed relationship between address and pubkeys as H(pubkey) = address. This has a couple of consequences. * This makes wallets that support this feature more complicated. For example, if an address on chain was updated, the corresponding key in the CLI wallet also needs to be updated. -* We cannot prune accounts with 0 balance that have had their pubkey changed. This is because if pruned, the original pubkey of the account would be needed to recreate the same address, but the owner of the address may not have the original pubkey anymore. Currently, we do not automatically prune accounts anyways, but the purpose of account numbers is to allow for this down the road. One way to allow accounts that have had their pubkeys changed is to allow their owners to manually prune their accounts using a new Msg type such as `MsgDeleteAccount`. Manually pruning accounts can give a gas refund as an incentive for performing the action. +* Cannot automatically prune accounts with 0 balance that have had their pubkey changed. ### Neutral From b5442e1d5e11a8e42cb0471498241ad6a9882f2d Mon Sep 17 00:00:00 2001 From: Sunny Aggarwal Date: Tue, 24 Nov 2020 13:06:58 -0500 Subject: [PATCH 16/16] Update adr-034-account-rekeying.md --- docs/architecture/adr-034-account-rekeying.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/architecture/adr-034-account-rekeying.md b/docs/architecture/adr-034-account-rekeying.md index 8dfcc9e668..22cb79e313 100644 --- a/docs/architecture/adr-034-account-rekeying.md +++ b/docs/architecture/adr-034-account-rekeying.md @@ -20,7 +20,7 @@ Transferring all the assets of an account to a new account with the updated pubk ## Decision -We propose the addition of a new feature to `x/auth` that allows accounts to update the public key associated with their account, while keeping the address the same. This feature can be enabled using an `EnableChangePubKey` param. +We propose the addition of a new feature to `x/auth` that allows accounts to update the public key associated with their account, while keeping the address the same. This is possible because the Cosmos SDK `BaseAccount` stores the public key for an account in state, instead of making the assumption that the public key is included in the transaction (whether explicitly or implicitly through the signature) as in other blockchains such as Bitcoin and Ethereum. Because the public key is stored on chain, it is okay for the public key to not hash to the address of an account, as the address is not pertinent to the signature checking process.