Experiment Using PRF Extension For Signer Key Material #249
Description
Context / issue
One of the big downsides of Webauthn is that most devices only support curves that are non-EVM native (P-256, RSA, Ed25519 to name the common ones). This means that, at least until EIP-7212 lands, ECDSA signature verification needs to be implemented in Solidity which adds ~300k gas overhead when verifying signatures.
There is a pseudo-random function extension (PRF) that allows credentials to provide additional 32-byte key material for use in the client. The use case for the extension, for example, request a credential when logging in with some additional key material, and then use this key material to decode some local storage data. However, this can also be used as key material to generate secp256k1 private keys for signing transactions.
Proposed solution
On account creation:
- Create the credential and request
prfwith a fixedfirstsalt parameter - Use the generate 32-byte key material as an HD wallet seed
- Compute the address of an account at a fixed HD wallet path (the default one for example, or a special index, etc.)
- Use the account as regular EOA owner to the Safe
- Discard the key material (ensuring it is only ever used ephemerally)
On transaction signing:
- Request the credential created ☝️ with
prfand the same fixedfirstsalt parameter - Use the generate 32-byte key material as an HD wallet seed
- Sign the Safe transaction with the account with the same HD wallet path used during account creation
- Discard the key material (ensuring it is only ever used ephemerally)
Alternatives
Note that in the proposed solution, we always discard the key material right awayt after using it. If we want to provide a more "login once, sign many times" experience, we can even store the key material per session, and then not require an authenticator (i.e. device like iPhone) interaction per signature.