Request flow
Overview
The Warden Protocol is a system that manages keys for blockchain nodes. Warden users can request Keychains to generate pairs of private and public keys and sign transactions with private keys.
This section explains how the Warden Protocol processes these two types of transactions: key requests and signature requests. The main steps are the following:
- Sending a request: A user sends a request, specifying the preferred Keychain and the Approval Rule to apply.
- Checking the Rule: Nodes check the Approval Rule and reach consensus.
- Fulfilling the request: The Keychain publishes a public key or a signature to the Warden Protocol.
You'll find a detailed breakdown of these steps below.
Actors
The Warden Protocol includes three types of actors participating in sending and processing transactions:
- Node: A server running the Warden Protocol software
- Keychain: Software for generating keys and signing transactions, running on a Keychain operator's server
- Client: Software for interacting with the protocol, running on a user's machine (such as SpaceWard)
Key request flow
The flow for generating a private/public key pair includes the following steps:
1. Sending a request
- The Client sends a
MsgNewKeyRequest
transaction to its Node, specifying these details:
- The key type – for example, ECDSA secp256k1
- The Keychain ID
- The Approval Rule ID
- A
KeyRequest
object is created and stored in the on-chain database.
2. Checking the Rule
-
The Node checks the Approval Rule: if the conditions specified in the Rule are satisfied, the Intent Engine returns
true
. -
The transaction gets included in a block and broadcast to the P2P network.
-
All nodes in the network reach consensus on the validity of the transaction and re-evaluate the Approval Rule check.
Note: 1/3 of the voting power has to agree on the outcome of evaluation. Otherwise, the request is never broadcast to the Keychain. If an attacker wants to abuse the system, they need to obtain more than 1/3 of the voting power.
3. Fulfilling the request
-
The Keychain queries its Node for pending requests and picks up the
KeyRequest
object, identified by its unique ID. -
The Keychain's MPC network generates a new private/public key pair and stores it. The new public key inherits its ID from the
KeyRequest
ID. -
A Keychain Writer sends a
MsgFulfilKeyRequest
transaction with the public key to the Node.
Note: Currently all Keychains available in Warden are MPC-based: each Keychain operator runs a network of MPC nodes. Potentially, a Keychain can be operated without an MPC network – Warden isn't in charge of it.
Diagram
This diagram represents the key request flow:
Signature request flow
The flow for requesting a signature includes the following steps:
1. Sending a request
- The Client sends a
MsgNewSignRequest
transaction to its Node, specifying these details:
- Raw data bytes
- The key ID
- The Approval Rule ID
- A
SignRequest
object is created and stored in the on-chain database.
Note: While key requests directly indicate the Keychain ID in the request, signature requests contain the Keychain ID inside the keys
object.
2. Checking the Rule
-
The Node checks the Approval Rule: if the conditions specified in the Rule are satisfied, the Intent Engine returns
true
. -
The transaction is included in a block and broadcast to the P2P network.
-
All nodes in the network reach consensus on the validity of the transaction and re-evaluate the Approval Rule check.
Note: 1/3 of the voting power has to agree on the outcome of evaluation. Otherwise, the request is never broadcast to the Keychain. If an attacker wants to abuse the system, they need to obtain more than 1/3 of the voting power.
3. Fulfilling the request
-
The Keychain queries its Node for pending requests and picks up the
SignRequest
object, identified by its unique ID. -
The Keychain's MPC network generates a signature using the specified private key.
-
A Keychain Writer sends a
MsgFulfilSignRequest
transaction with the signature to the Node.
Note: Currently all Keychains available in Warden are MPC-based: each Keychain operator runs a network of MPC nodes. Potentially, a Keychain can be operated without an MPC network – Warden isn't in charge of it.
Diagram
This diagram represents the signature request flow: