Understanding Keys in Proof-of-Stake Ethereum

Ethereum utilizes public-key cryptography to safeguard user assets. The public key serves as the foundation for an Ethereum address—visible to the public as a unique identifier. The private key (or secret key) is accessible only to the account owner and is used to cryptographically 'sign' transactions and data, proving ownership and authorization.

Key Generation in Ethereum

Ethereum keys are generated using Elliptic Curve Cryptography (ECC). However, with Ethereum's transition from Proof-of-Work (PoW) to Proof-of-Stake (PoS), a new type of key was introduced to support staking and validation:

• Traditional ECC Keys: Continue securing user accounts as before.
• BLS Keys: Enable efficient signature aggregation for PoS validators, reducing communication overhead in consensus mechanisms.

👉 Learn more about BLS signatures

Two Types of Validator Keys in PoS Ethereum

1. Validator Keys

Used to participate in block validation and attestation, these consist of:

• Validator Private Key: Signs on-chain operations (e.g., block proposals). Must be stored in a hot wallet for accessibility.
• Validator Public Key: Embedded in the deposit transaction data to identify the validator on the network.

Risks of Compromised Validator Keys:

• Malicious actors can slash the validator by:

  • Proposing conflicting blocks.
  • Submitting contradictory attestations.
• Force a voluntary exit, stopping staking rewards.

2. Withdrawal Keys

Required to withdraw staked ETH, these include:

• Withdrawal Private Key: Authorizes balance transfers.
• Withdrawal Public Key: Linked to an execution address (0x01-type credential).

Critical Note: Losing the withdrawal key means losing access to staked funds, even if the validator remains active.

Withdrawal Credentials

Each validator has a 32-byte withdrawal credential, prefixed by:

• 0x00: BLS key (requires an update to enable withdrawals).
• 0x01: Execution address (directs withdrawals to an Ethereum account).

Updating Credentials:

• Submit a signed BLSToExecutionChange message.
• Ensures excess balance payments and full withdrawals are processed.

Hierarchical Deterministic (HD) Wallets

Managing multiple validators is streamlined through mnemonic phrases and derivation paths (e.g., m/44'/60'/0'/0).

How It Works:

1. Mnemonic Phrase: Generates a master key (root of the key tree).
2. Derivation Paths: Create child keys for validators and withdrawals.

Example Path Structure:

m / purpose / coin_type / account / change / address_index  

Advantages:

• One mnemonic can manage unlimited validators.
• Isolates keys for security while maintaining recoverability.

FAQs

1. What happens if I lose my validator private key?

You can no longer sign blocks/attestations but can still withdraw funds if the withdrawal key is intact.

2. Why must I update withdrawal credentials?

0x00-type credentials lack execution addresses. Updating to 0x01 enables ETH transfers.

3. Can I reuse the same key for multiple validators?

No—each validator requires a unique key pair for security.

👉 Explore staking best practices

Further Reading

• Ethereum Foundation Blog on Keys
• EIP-2333: BLS12-381 Key Generation