Introducing the new Tezos tz2 staking wallet
Tezos supports 3 cryptographic curves that are denoted by the number after tz in the public key hash: tz1, tz2 or tz3.
Almost all current baking operations use tz1 addresses which are backed by the ed25519 cryptographic signature algorithm. While perhaps the most secure curve, this curve is newer and unsupported by all major Cloud HSMs. Delegation services using a tz1 address need to trade off the cryptographic security of Ledger baking with the risks associated with physical security, or of having a software defined cloud hosted wallet.
tz3 addresses use the NIST p256r1 curve whose parameters were securely selected by the National Institute of Standards and technology. These addresses are used by the Tezos Foundation. The Tezos Foundation wanted to use Amazon Web Services’ Cloud HSM solution for key management and at the time of key generation only the p256r1 was supported by AWS. However, the standard `tezos-client` binary no longer fully supports the p256r1 curve, posing additional risks and costs on operations that wanted to mimic the Tezos Foundation.
This leaves the tz2 hash. Tz2 addresses use the Secp256k1 curve which is also used by Bitcoin in time tested fashion. This curve was only recently added to Amazon’s CloudHSM which we’re using to protect these keys. We’ve chosen to use these keys because they’re fully supported in the reference Tezos clients (unlike the tz3 addresses), have been securely used in Bitcoin for years and now have good support in the cloud. Only delegation services using a tz2 public key hash take advantage of the same elliptic curve cryptography as Bitcoin (secp256k1) while benefiting from the security of Amazon’s CloudHSM.
Using these keys with an HSM requires a conversion between traditionally formatted HSM files and familiar Tezos keys. Our partners at Polychain Labs built this key-encoder to transition between.They then built this golang HSM remote-signer to securely sign transactions from these keys protected in an HSM.
Benefits to Bakers for using a tz2 staking wallet
Tezos Capital powered by Polychain Labs is focused on providing the highest available, highest rated delegation service in the Tezos ecosystem. We theorized that the infrastructure that could be enabled by using a tz2 wallet hash could provide a superior institutional level baking environment.
- High availability: With the tz2 infrastructure, we are able to utilize an AWS stack including the Amazon CloudHSM. We believe over the long term this configuration will produce fewer misses on both our baking rights and our endorsement rights.
- High efficiency: We plan to secure and maintain a AAA+ rating in our performance on MyTezosBaker with a goal of keeping an efficiency score of greater than 100%. We expect this to happen after we have scaled our rolls under management to 100+ rolls.
We will monitor and report on our performance on our dashboard available at www.tezos.capital. By combining our use of the tz2 infrastructure and by providing a virtually unlimited bond, we believe we have delivered a new level of service in the Tezos staking ecosystem. We would welcome your participation in our delegation service.
We look forward to providing updates on our results as our service matures over the coming year. If you have any questions, or to schedule a discussion about our services, please contact info@tezos.capital, or reach us on twitter @tezoscommunity.
