Comment on page
Secret Key and Signatures
There are two signature methods used in the DeGate protocol:
- ECDSA (Elliptic Curve Digital Signature Algorithm) is an implementation of DSA (Digital Signature Algorithm) that uses elliptic curve cryptography, which can provide comparable level of security to RSA with a smaller key size. Learn more
- EdDSA (Edwards-Curve Digital Signature Algorithm) is a digital signature scheme using a variant of Schnorr signatures based on twisted Edwards curves. Signature creation is deterministic in EdDSA, and its security is based on the intractability of certain discrete logarithm problems, making it more secure than DSA and ECDSA, which require high-quality randomness for each signature. Learn more
The Asset Private Key is a EdDSA secret key generated by users through signing with their Ethereum wallet private key. The Asset Private Key is used to initiate various operation requests in DeGate. Users must first unlock their DeGate account when logging in to derive an Asset Private Key, which will be temporarily stored in the session of their local browser.
Relationship between ECDSA & EdDSA Signatures
A ECDSA signature must be confirmed by users in their wallets, as shown in the MetaMask webpage plugin below.
The DeGate protocol supports 3 types of ECDSA signature and verification methods:
During the verification process, the node verifies both the ECDSA signature and the EdDSA signature simultaneously. However, the circuit verifies only the EdDSA signature, while the smart contract only verifies the ECDSA signature.
: In paid deposit, payment can be made from a wallet or the DeGate account. Here we specifically refer to the latter.
A ValidUntil field is added to both the ECDSA and EdDSA signatures submitted for requests. The verification process begins by checking whether the signature is within the specified validity period. Execution will only proceed if the signature is still valid.
When registering a new account, users are requested to complete two ECDSA signatures. The first signature generates an asset private key. This signature contains the address of the DeGate smart contract with a KeyNonce value that starts at 1 and increases by 1 each time the account is reset. The value is stored off-chain by the DeGate node.
Sign this message to access DeGate Exchange: 0xdac304791B7f53593C701980aa52087Ed7EC6649 with key nonce: 1
The second signature submits an AccountUpdate request to associate user’s wallet address, AccountID, and the public key corresponding to the Asset Private Key. These data are simultaneously synced up to the Merkle tree and ultimately submitted to the smart contract for verification via zero-knowledge proofs.
The process of resetting the Asset Private Key is the same as registering an account with the only difference being the incremental KeyNonce+1 value.
- 1.Neither the DeGate Protocol nor degate.com can or will access the private key of users' Ethereum wallets.
- 2.The Asset Private Key is temporarily saved in the SessionStorage of users’ local browsers and will be automatically cleared when the browser tab is closed. SessionStorage does not support cross-domain or cross-session access, making it a safe storage option.
- 3.DeGate implements a front-end security isolation solution by dividing the front-end website into two parts: "ordinary front-end code" and "core front-end code". The core code is used to interact with the Ethereum wallet, call the asset private key for signature, and communicate with the ordinary front-end code. The ordinary front-end code is only responsible for site functions and cannot directly access users’ private key. We plan to deploy the core front-end code on a decentralized platform in the future to make it immutable, which will further enhance the security of users’ private keys.
Please Keep Your Private Keys Safe
If a user loses their asset private key, while attackers cannot directly withdraw or transfer their assets, they may sell them at a very low price on the DeGate exchange and make a profit as the counter-party.
If you suspect that your asset private key has been stolen, please use the "Reset Asset Private Key" function immediately. This will render the stolen private key invalid.