Using ECDSA and EdDSA
Overview
Fireblocks workspaces support non-custodial wallets with two algorithms: MPC_ECDSA_SECP256K1
(ECDSA) and MPC_EDDSA_ED25519
(EdDSA). Your workspace can use one of the following configurations:
- Using both the ECDSA and EdDSA algorithms in all wallets.
- Using only the ECDSA algorithm across all wallets.
- Using only the EdDSA algorithm across all wallets.
Your workspace configuration propagates to all the wallets within it, and all the wallets generate keys according to that configuration. For example:
- If your workspace is configured with only the ECDSA algorithm and the SDK attempts to execute
generateMPCKeys
withMPC_EDDSA_ED25519
, the function will fail. - If your workspace is configured with both the ECDSA and EdDSA algorithms and the SDK attempts to execute
generateMPCKeys
withMPC_ECDSA_SECP256K1
, the function will succeed. However, until the additional key is added to the wallet with thegenerateMPCKeys
function, the device within that wallet will not be able to perform any operations such as backup, asset activation, signing transactions, etc.
Enabling EdDSA
By default, your workspace only supports the ECDSA algorithm. Depending on whether you're an existing Fireblocks customer or a Sandbox user, there are different methods you can use to add support for EdDSA.
Existing Fireblocks customers
Submit a request to Fireblocks Support with the following details:
- Task: Workspace Operations
- Workspace Operations: NCW Feature Management
- NCW Tasks: Activate EdDSA Chains
Does your workspace already have wallets with generated keys?
If your production workspace is configured to support two algorithms but a wallet is provisioned with only one key, that wallet will no longer be able to perform any operations such as backup, asset activation, signing transactions, and so on, until it is provisioned with the additional key.
- If your end users are not yet interacting with your wallets, provision the wallets with the additional key by calling the
generateMPCKeys
function with the additional algorithm.- If end users are already Interacting: Decide whether to add a migration process to include the additional algorithm using
generateMPCKeys
with the additional algorithm, or consider opening a new workspace that supports all algorithms. For assistance, reach out to your Customer Success Manager.
Sandbox Explorers
Visit our Developer Community and create a post indicating that you want to add EdDSA support to your Sandbox workspace. Please do not forget to add your workspace name too!
Retrieving the Device Keys Status
The MPC Keys Generation process is a multi-step operation that can fail or stop in the middle for various reasons, such as a network error or the end user leaving the application midway through the process. If a failure or stoppage occurs, you end up with a device and a deviceId
that cannot be used until you complete the MPC key generation process.
To check the current key status for a device, there are two methods you can use:
- Call the
getKeysStatus
function on the web SDK or mobile SDK. WhenkeyStatus
returns READY, the MPC key generation process has been completed. Note that READY is the only valid final status for the key. - Call the Get device key setup state endpoint. This endpoint returns the device's current status and includes some additional response parameters:
- SetupStatus: Returns as COMPLETE or INCOMPLETE per key that started creation on the device.
- Algorithm name: Returns as
MPC_ECDSA_SECP256K1
orMPC_EDDSA_ED25519
. - backedUp: This boolean flag indicates whether the keys were backed up by any of the wallet's devices. Remember, a wallet can have multiple devices associated with it.
Note that a device's status will only return as COMPLETE when all the keys declared in its workspace have reached the COMPLETE status and the device's backup flag is set to true.
Retrieving the Wallet Key Status
You can also query a wallet's status by calling the Get wallet key setup state endpoint. The response includes the current status of all devices associated with the wallet. Note that a wallet is considered COMPLETE as long as at least one of its devices also has the COMPLETE status.
If you send a request to an incomplete wallet or device, your request will fail and Fireblocks may return error codes to provide context for the request's failure.
Updated 29 days ago