Special thanks to Sacha Yves Saint-Leger & Danny Ryan for their review.
At the core of every Proof of Stake system is a signature scheme. Signatures are used to verify the identity of each validator allowing their actions, both good and bad, to be attributed to them.
We can verify honesty by looking at a validator's signed messages and we can prove malice by showing messages that violate the rules of consensus.
In fact, in eth2, the identity of a validator is their public key. Specifically, each validator has two sets of keys: a signing key and a withdrawal key.
A signing key is the key a validator needs to sign attestations and propose blocks. Because a validator needs to sign a message at least once per epoch, the client software must have custody of the key.
Because the client software is always connected to the internet, there is of course a chance that one’s signing key is compromised. To reduce the impact of such a breach, the actions a validator can perform are split between two keys.
The signing key, as explained above, is used for the validator to perform their duties. On the other hand, the withdrawal key has the power to control a validator's funds (transferring*, and withdrawing* ETH).
A validator should only need to use their withdrawal keys a few times over the lifetime of being a validator. This means they can be put into cold storage and stored with a high degree of security (offline).
* Transfers and withdrawals are not enabled until at least phase 1
That's a lot of keys!
If for every 32ETH staked, one needed to save and use 2 unrelated keys to make a deposit, this would get out of hand very quickly.
Luckily, we have a solution. The remedy is to have the keys use a common secret, so that storing a single secret gives access to multiple keys.
In eth2, this is achieved via EIPs 2333 and 2334: a set of standards that describe how withdrawal and signing keys are related, and how they can be derived from a single mnemonic.
Mnemonics are another way of encoding secrets and are a much simpler means for people to store and back up their private keys.
The idea being that it is simpler to remember or write down sausage solution loud isolate focus glide frame door clown million shuffle impulse than 0x1e9f2afcc0737f4502e8d4238e4fe82d45077b2a549902b61d65367acecbccba without making any mistakes.
Deriving keys from other keys
When interacting with wallets, you may have encountered "paths" of the form m/44'/60'/0'/0/0. These paths describe a relationship between keys.
According to EIP 2333, this relationship takes the form of a tree structure in which a key is determined by a source of entropy (the tree’s seed) and a tree path.
We use the seed to calculate the root of the tree and then build the tree in layers on top of this root. This tree of keys is defined purely through the relationship between the branch followed in the tree, and the tree's root.
In practical terms, it allows us to find any key in the tree by starting at the root, and calculating the intermediate key at each branch we follow, until we reach the leaf we are interested in.
A wonderful consequence of this is that we can start with a single source of entropy (a mnemonic, for example), and from there build out a practically unlimited number of keys.
In addition, by securely storing just the mnemonic, you have a backup of every key that your validator uses.
This idea is used in eth2 to allow a single mnemonic to generate as many keys as a validator needs. For example, if you wanted to run 3 validators, you could use a single mnemonic to generate the withdrawal keys located at m/0, m/1, m/2.
[m / 0] / / [m] - [m / 1] \ \ [m / 2]
Each branch is separated by a / so m/2 means start with the master key and follow branch 2.
EIP 2334 states that the validator's signing key is the 0th child-branch of the withdrawal key. In practice this means that, when the standard is followed, if you know the private key for withdrawal, you can calculate the corresponding private key for signing.
Continuing with the above example, the signing keys would be found at: m/0/0, m/1/0, m/2/0.
[m / 0] - [m / 0 / 0] / / [m] - [m / 1] - [m / 1 / 0] \ \ [m / 2] - [m / 2 / 0]
While we tried to keep this example as simple as possible, in practice the paths involved are a little longer (EIP 2334 requires using m/12381/3600/i/0, and m/12381/3600/i/0/0 for withdrawal and signing keys respectively). Nevertheless, the logic remains the same.
The important thing to remember is that if you know the mnemonic, you can calculate your withdrawal keys, and from there derive your signing keys.
Validator clients use keystores as a method for exchanging keys.
Keystores are files that contain private keys encrypted with a user's password. They can be safely stored and transferred between computers provided the password is not stored on the same computer.
When you are ready to start validating, you can give your client the keystores and the password encrypting them (it needs both pieces of information to import your keys).
Becoming a validator
The first step in becoming a validator is to generate the appropriate keys. These will be generated once you've written down your mnemonic.
Since there are no withdrawals or transfers in phase 0, you do not need to have keystores for your withdrawal keys; storing your mnemonic safely is sufficient.
As your validator clients need your signing keys, you will receive a keystore for each of your validators to store these keys.
Now it's deposit time! To become a validator, you will need to send 32 ETH per validator in addition to your deposit data containing all of your validator public keys.
The deposit data are then recorded in the deposit contract on eth1. This contract is watched by eth2 nodes who are responsible for copying over the deposit data. Once your deposit data has been copied over, you are now officially a validator!
Becoming a validator the easy way
We're happy to announce that we've been working hard on a friendly interface to walk validators through this process. Stay posted for an update shortly on what the Eth2 Launchpad is and how to use it!