Pre-execution privacy (PEP)
The PEP module manages execution of encrypted transactions. It requests keys for decrypting the transactions from the keyshare module, which may reside on either the same chain or a different chain.
Invariants
Encrypted transactions must have their gas fees prepaid by their creators.
Test coverage
The individual messages are tested in Go unit tests, and flows involving sequences of messages are tested against a local devnet by scripts/tests/pep.sh.
Attack surface
MsgUpdateParams
The MsgUpdateParams
message updates the parameters of the keyshare module.
It must be signed by the keeper's
Authority
, which is initialized to the PEP module's module address.It validates that the
TrustedAddresses
is a list of Bech32-encoded addresses; that theTrustedCounterParties
each have nonempty channel IDs, connection IDs, and client IDs; that the keyshare channel ID is nonempty; that theMinGasPrice
andPrivateDecryptionKeyPrice
are positive; and that theIsSourceChain
field is of typebool
.
MsgSubmitEncryptedTx
The MsgSubmitEncryptedTx
message submits an encrypted transaction for execution at a target height.
The target height must be ahead of the current block height or ahead of the latest source block height if another chain is the source chain.
The target height must not exceed the expiry of the queued public key, or of the active public key if no queued public key is present.
The creator's address must be Bech32 encoded.
The PEP module transfers a gas prepayment from the creator to itself, and the encrypted transaction is stored keyed by the height.
MsgSubmitGeneralEncryptedTx
The MsgSubmitEncryptedTx
message submits an encrypted transaction for a general encrypted identity.
The identity must be present in the PEP module's state.
The creator's address must be Bech32 encoded.
The PEP module transfers a gas prepayment from the creator to itself, and the encrypted transaction is stored in the identity's transaction queue.
MsgSubmitDecryptionKey
The MsgSubmitDecryptionKey
message submits a decryption key on non-source chains.
If
IsSourceChain
is set, an error is returned.The signer must be in the PEP module's list of
TrustedAddresses
.There must be a nonempty active public key in the PEP module's state.
The provided decryption key must be able to decrypt the string
"test data"
encrypted towards the active public key.If the trial decryption succeeds, the decryption key is stored, and the latest height from the source chain is stored.
MsgRequestGeneralIdentity
The MsgRequestGeneralIdentity
message submits a request for a general identity.
A request for the specified creator and ID must not already exist.
If this chain is the source chain, an entry for the requested identity is stored.
If another chain is the source chain, a
RequestDecryptionKeyPacket
for the requested identity is sent to the source chain.
MsgRequestGeneralDecryptionKey
The MsgRequestGeneralDecryptionKey
message submits a request for a decryption key for a general identity.
An entry for the identity must exist, and the entry's creator must be the signer.
If this chain is the source chain, the decryption key request is stored.
If another chain is the source chain, a
GetDecryptionKeyPacket
is sent to the source chain.
MsgRequestPrivateIdentity
The MsgRequestPrivateIdentity
message submits a request for an identity with encrypted keyshares.
A request for the specified creator and ID must not already exist.
If this chain is the source chain, an entry for the request is stored.
If another chain is the source chain, a
RequestPrivateDecryptionKey
packet is sent to the source chain.
MsgRequestPrivateDecryptionKey
The MsgRequestPrivateDecryptionKey
message submits a request for encrypted keyshares.
The identity for the request is created if it does not already exist.
The creator's address must be Bech32 encoded.
The PEP module transfers the
PrivateDecryptionKeyPrice
to itself.If this chain is the source chain, an entry for the request is stored.
If another chain is the source chain, a
GetPrivateDecryptionKeyPacket
packet is sent to the source chain.
MsgRegisterContract
The MsgRegisterContract
registers a WASM contract for execution when a specified identity's decryption key is made available.
The contract's address must be Bech32 encoded, and a contract must have been instantiated at it.
The signer must be the contract's admin and creator.
There must not already be a scheduled execution of the contract at the specified identity.
The contract is scheduled for execution in the specified identity's queue.
MsgUnregisterContract
The MsgUnregisterContract
unregisters a previously registered WASM contract.
The contract's address must be Bech32 encoded, and a contract must have been instantiated at it.
The signer must be the contract's admin and creator.
The specified identity's list of scheduled contracts is scanned, and if the specified contract is found, it is removed.