Closed
Conversation
Adds a new TIP proposing a disableRootKey() function for the AccountKeychain precompile. This enables: - Multisig accounts where root key is no longer a single point of failure - Post-quantum cryptography migration by disabling ECDSA root key after authorizing a PQ-resistant access key - Ephemeral key pattern (Porto-style) with cryptographic assurance that the ephemeral key cannot be reused - HSM migration for enterprise compliance requirements The proposal includes: - disableRootKey() function callable only by root key - isRootKeyDisabled() view function - Protocol-level enforcement rejecting root key transactions post-disable - Safety check requiring at least one active access key before disabling - Comprehensive invariants and test cases
|
The latest updates on your projects. Learn more about Vercel for GitHub.
|
Implementation of TIP-1008 which adds the ability to permanently disable an account's root key. Changes: - Add disableRootKey(activeKeyId) function to IAccountKeychain interface - Add isRootKeyDisabled(account) view function - Add RootKeyDisabled event - Add new errors: NoActiveAccessKeys, RootKeyAlreadyDisabled, RootKeyIsDisabled - Add root_key_disabled storage mapping to AccountKeychain precompile - Implement disable_root_key() with safety checks: - Only callable by root key (not access keys) - Requires specifying an active access key to prevent lockout - Irreversible once called - Add check_root_key_disabled() internal method for handler - Update handler to reject root key transactions when disabled: - Primitive signatures are rejected - KeyAuthorization is rejected - Add RootKeyDisabled error to TempoInvalidTransaction - Update Solidity interface documentation - Add comprehensive unit tests This enables: - Multisig security (remove root key as single point of failure) - Post-quantum migration (disable ECDSA after authorizing PQ key) - Ephemeral key pattern (Porto-style account creation) - HSM migration for enterprise compliance Amp-Thread-ID: https://ampcode.com/threads/T-019bd2f1-7eb8-73fc-acc5-73e1083deaef Co-authored-by: Amp <amp@ampcode.com>
gakonst
requested review from
0xKitsune,
fgimenez,
howydev,
klkvr,
legion2002,
mattsse and
rakita
as code owners
- Add disableRootKey() and isRootKeyDisabled() to AccountKeychain.sol - Add rootKeyDisabled mapping to storage layout - Run cargo fmt on Rust files - Run forge fmt on Solidity files
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
This TIP proposes adding a
disableRootKey()function to the AccountKeychain precompile, allowing accounts to permanently disable their root key after authorizing alternative signing keys.Motivation
The root key (original EOA private key) currently has permanent, irrevocable control over an account. Disabling it enables:
1. Multisig Security
For DAOs/treasuries, the root key is a single point of failure. Disabling it ensures control is distributed exclusively among configured signers.
2. Post-Quantum Cryptography Migration
When PQ signature schemes are added, accounts can authorize a PQ access key and disable their vulnerable ECDSA root key—migrating to quantum-resistant crypto without changing their address.
3. Ephemeral Key Pattern (Porto-style)
Accounts created with ephemeral keys (generate → sign auth → discard) can explicitly disable the root key on-chain, providing cryptographic assurance the ephemeral key can never be reused.
4. HSM Migration
Enterprise users can migrate control entirely to HSM-backed keys, meeting compliance requirements.
Specification Highlights
disableRootKey()- Permanently disables root key (requires active access key to exist)isRootKeyDisabled()- View function to check statusTest Cases
16 comprehensive test cases covering happy paths, edge cases, and invariants.
Requested by @gakonst