Skip to main content

9.1 BLS Keys

This section will explain the different types of keys in the Chia network. It will also cover how the keys are generated, stored, and used. These systems are designed to be flexible enough to support many different configurations and pooling setups and to be resilient to various attacks.

All Chia keys are BLS-12-381 private keys, following the IETF specification, the EIP-2333 specification for key derivation and BIP 44 registered. Private keys are 32 bytes, public keys 48 bytes, and signatures 96 bytes (public keys are points in G1, signatures are points in G2.)

WARNING: There is a slight difference between Chia's implementation and EIP-2333, as described in the next section.

BLS signatures allow for many features and optimizations, such as non-interactive m/n thresholds, aggregation of all signatures in a block, and chialisp tricks like combining two coins into the same transaction. Private keys can be generated by using a 24-word mnemonic phrase, which users can use to back up and restore their wallets.

The 24 words can be converted to and from a BLS private key. The BLS master private key is stored in the OS keychain, which usually requires password authentication and is encrypted.

The master private key can be used to derive child keys, which can further be used to derive child keys, etc. The number of levels can be infinite. BLS public keys can be combined to form a new public key, which can be used to validate aggregate signatures.

Each time the wallet generates a new address to receive funds, it creates a new BLS private key. The farmer and pool only use the first key in the current codebase, but they can be updated to generate a new key every time a block is won, for additional privacy.

When it comes to getting paid, a chialisp program is created that uses one of the wallet BLS public keys. This program, called a puzzle, is hashed to generate a puzzle hash. The puzzle hash is then converted to an address in bech32m format, for easy error correction and usability.

So an address is analogous to a wallet child BLS public key, the private key of which can be derived from the master seed.


Difference between Chia and EIP-2333#

The specification that Chia follows is described in the IRTF CFRG BLS standard, version 1. There was a change made in version 2 which makes the key generation incompatible. Both versions are secure, but Chia keys were committed to the final plot format in 2020 and thus the older version of the specification is used.

Non-Observer vs Observer Keys#

There are two ways in which child keys can be derived from parent keys: non-observer and observer (also called hardened and unhardened).

Non-observer keys are the default, and only supported, method in the EIP-2333 spec. They are secure, since each key is cryptographically separated -- revealing one key has no impact on the security of its ancestors or siblings. However, non-observer keys are limited in functionality, because they can only be derived through private derivation. That is, a parent private key can be used to derive a child private key, but a parent public key cannot be used to derive a child public key.

Observer keys do allow public derivation. This enables view-only wallets that support viewing all of your public keys, using only the root (master) public key. This is what is usually done for Bitcoin HD view-only wallets. It enables more privacy when compared to systems like Ethereum, which reuse the same address for all transactions.

One advantage of observer keys is tax calculation: if you use a different address for each transaction, you only need to give your accountant your parent public key, who can use it to derive all of your child addresses. This would not be possible with non-observer keys.

The main security drawback of observer keys is that if you accidentally reveal a single child private key, along with the parent public key, then your parent private key and all sibling keys can be calculated as well.

At the time of Chia's mainnet launch in March and May 2021, only non-observer keys were used. Beginning in December 2021, observer keys are supported -- and preferred -- for view only-wallet support.