dot_keygen 0.0.1

  • Readme
  • Changelog
  • Installing
  • 40

dot_keygen #

arbitrary hierarchical keygen in Dart.

How it Works #

A root ticket is used as secret input into the key derivation function (scrypt, until argon2id is available in Dart) and then secrets are recursively derived according to a path through the graph.

Canonically, the first derivation indicates an identity and further derivations represent wallets. Wallets can be well-known and have domain-specific representations using the derived secret. For example, a secret can be generated and used as input to a bitcoin wallet like so:

import 'dart:convert';
import 'package:dot_keygen/dot_keygen.dart' as keygen;

final myTicket = "~sampel-ticlet-migfun-falmel"; // or any string, really ¯\_(ツ)_/¯

final secret = keygen.derive(
  utf8.encode(myTicket),
  [keygen.ROOT, 'matt', keygen.Domain.Bitcoin],
);

final wallet = keygen.toBitcoinWallet(secret);

// https://en.bitcoin.it/wiki/Technical_background_of_version_1_Bitcoin_addresses
expect(wallet.address.length, greaterThanOrEqualTo(26));
expect(wallet.address.length, lessThanOrEqualTo(34));

and an Ethereum wallet like

final secret = keygen.derive(
  utf8.encode(myTicket),
  [keygen.ROOT, 'matt', keygen.Domain.Ethereum],
);

final wallet = keygen.toEthereumWallet(secret);

final address = EthereumAddress.fromPublicKey(
    privateKeyBytesToPublic(wallet.privateKey.privateKey)
  );

expect(address.hex, startsWith('0x'));
expect(address.hexNo0x, hasLength(40));

identity subpaths can be package identifiers (i.e. org.ethereum) or similar, perhaps backed by an on-chain registry / naming system (ENS, HNS, whatever). Perhaps one subpath should be apps or well-known that nests these well-known package IDs. idk, it's pretty arbitrary and up in the air.

Concerns #

  1. I'm not a security person and I have no business writing these libraries.
  2. We use a constant secret length of 8 bytes at every path, which makes the tickets a nice 4-chunk length but only gives them 64 bits of entropy, making them not particularly good for security. In the future we should allow arbitrary secret length at each path to avoid situations where, for example, the bitcoin secret must have at least 128 bits so we just SHA256 the 64 bit secret instead of actually generating a 128 bit secret (lol).
  3. We probably want a secure random number generator in here somewhere (iirc, I wrote one in an old project...)
  4. Because of the recursive nature of derivation, deriving a large path takes linearly long time and cannot be done in parallel. Problem is avoided when not starting from the root (i.e. using an identity secret to derive a wallet is 1x cost instead of 2x if deriving from root).

0.0.1 #

  • initial version, see README

Use this package as a library

1. Depend on it

Add this to your package's pubspec.yaml file:


dependencies:
  dot_keygen: ^0.0.1

2. Install it

You can install packages from the command line:

with pub:


$ pub get

with Flutter:


$ flutter pub get

Alternatively, your editor might support pub get or flutter pub get. Check the docs for your editor to learn more.

3. Import it

Now in your Dart code, you can use:


import 'package:dot_keygen/dot_keygen.dart';
  
Popularity:
Describes how popular the package is relative to other packages. [more]
0
Health:
Code health derived from static analysis. [more]
100
Maintenance:
Reflects how tidy and up-to-date the package is. [more]
50
Overall:
Weighted score of the above. [more]
40
Learn more about scoring.

We analyzed this package on Jul 8, 2020, and provided a score, details, and suggestions below. Analysis was completed with status completed using:

  • Dart: 2.8.4
  • pana: 0.13.13

Analysis suggestions

Package not compatible with runtime flutter-web on web

Because of the import of dart:isolate via the import chain package:dot_keygen/dot_keygen.dartpackage:dot_keygen/src/dot_keygen_base.dartpackage:web3dart/web3dart.dartpackage:isolate/isolate.dartpackage:isolate/registry.dartpackage:isolate/ports.dartdart:isolate

Package not compatible with runtime web

Because of the import of dart:isolate via the import chain package:dot_keygen/dot_keygen.dartpackage:dot_keygen/src/dot_keygen_base.dartpackage:web3dart/web3dart.dartpackage:isolate/isolate.dartpackage:isolate/registry.dartpackage:isolate/ports.dartdart:isolate

Health suggestions

Format lib/src/dot_keygen_base.dart.

Run dartfmt to format lib/src/dot_keygen_base.dart.

Maintenance issues and suggestions

Support latest dependencies. (-10 points)

The version constraint in pubspec.yaml does not support the latest published versions for 1 dependency (bitcoin_flutter).

The package description is too short. (-20 points)

Add more detail to the description field of pubspec.yaml. Use 60 to 180 characters to describe the package, what it does, and its target use case.

Maintain an example. (-10 points)

Create a short demo in the example/ directory to show how to use this package.

Common filename patterns include main.dart, example.dart, and dot_keygen.dart. Packages with multiple examples should provide example/README.md.

For more information see the pub package layout conventions.

Package is pre-v0.1 release. (-10 points)

While nothing is inherently wrong with versions of 0.0.*, it might mean that the author is still experimenting with the general direction of the API.

Dependencies

Package Constraint Resolved Available
Direct dependencies
Dart SDK >=2.5.0 <3.0.0
bitcoin_flutter ^1.0.7 1.1.0 2.0.1
pointycastle ^1.0.1 1.0.2
web3dart ^1.1.1+1 1.2.3 2.0.0-dev.7
Transitive dependencies
async 2.4.2
bech32 0.1.2
bip32 1.0.5
bip39 1.0.3
bs58check 1.0.1
charcode 1.1.3
collection 1.14.13
convert 2.1.1
crypto 2.1.5
hex 0.1.2
http 0.12.1
http_parser 3.1.4
isolate 2.0.3
json_rpc_2 2.2.1
meta 1.2.1
path 1.7.0
source_span 1.7.0
stack_trace 1.9.5
stream_channel 2.0.0
string_scanner 1.0.5
term_glyph 1.1.0
typed_data 1.2.0
uuid 2.2.0
Dev dependencies
pedantic ^1.8.0 1.9.1
test ^1.6.0
urbit_ob ^1.0.0