Account Abstraction

on EVM-compatible networks:

Hedera and Ethereum

Brendan Graetz, 2023

Brendan Graetz | @bguiz | bguiz.com

What we'll cover

Back to basics
Hedera's take on the basics
What is account abstraction?
ECDSA and EdDSA based authorisation + Demo
Smart contract based authorisation + Demo
Enabling AA on an EVM-compatible network: Now + Future
Questions/ Wrap up

Brendan Graetz | @bguiz | bguiz.com

Before we start

Hashgraph → Consensus algorithm
Hedera → The "blockchain" network

Brendan Graetz | @bguiz | bguiz.com

Before we start, let's quickly address the names - Hashgraph or Hedera?
The concept started by the co-founders was something called hashgraph; which is essentially a DAG-based transaction ordering and finality confirmation consensus algorithm
This hashgraph consensus algorithm had no application attached to it at the time, I remember way back in 2018, Mance gave a talk, at which he distributed a swirlds.jar file
This file contained several POC applications demonstrating potential use cases for it. For example one of them was a database JDBC driver, and another one was a multiplayer snake game.
Later on, came Hedera, which is the blockchain-like application using Hashgraph as its consensus mechanism, of course
This is why, for example, Hedera's github org name is "Hashgraph"
More recently, we've also started a new github org, whose name is "Hedera-dev"
This is where we put demo applications et cetera, including some of the ones that you'll see today

Back to basics

What is a key?
- Elliptic curve cryptography
- ECDSA secp256k1
What is an account?
- private key → public key → address → EOA
- 1-to-1

ethereum.org/en/developers/docs/accounts

Brendan Graetz | @bguiz | bguiz.com

Let's start by talking about some really fundamental stuff; keys and accounts.
If you're coming from the context of Bitcoin or Ethereum, a private key is a randomly generated large number, then you use an elliptic curve, this specific one, to derive a public key.
This is basic asymmetric key cryptography in action.
Next up, we have accounts. How do you get an account?
Basically you use the private key to derive the public key,
and from that you derive the address.
Then the set that comprises of private key, public key, and address, become the externally owned account (or EOA);
essentially these 3 as a single unit.
With this process, because of the way that this works, there is always a direct 1-to-1 mapping between a private key and an account
That private key always corresponds to that account; and that account always corresponds to that private key; there's no 2 ways about it.

Hedera's take on the basics

What is a key?
- Simple key: ECDSA secp256k1 key/ EdDSA Ed25519 key/ Smart Contract ID
- Complex key: KeyList/ ThresholdKey → multisig
What is an account?
- Account can be generated from a simple key
- Account can be generated from a complex key
- Account can change its key → existing key must agree

docs.hedera.com/hedera/core-concepts/accounts

Brendan Graetz | @bguiz | bguiz.com

Let's take a look at Hedera's take on these basic concepts; as they are quite different
There are simple keys, which can be a single ECDSA key, or a single EdDSA key,
This is the same type of key as used on Bitcoin and Ethereum, and that is a different type of key - still Elliptic Curve Cryptography, just a different variety of it.
The interesting thing here is that Hedera supports multiple type of cryptographic keys right off the bat.
In addition to that, Hedera accounts may also have complex keys.
These are lists of simple keys, and may include a specified threshold to meet.
The interesting here, is that this means that Hedera allows you to create m-of-n multisig on its accounts.
If you wanted to achieve the same thing with Ethereum accounts at the moment, you'd need to use a smart contract, as the accounts/ transactions system does not support that.
One more thing of note is that accounts can change their keys from their present key to a new key; all it needs to do so is to submit a transaction to update its key, and simply authorise that using its current key.
All of these points of difference really are critical when it comes to removing that 1-to-1 mapping between keys and accounts, thereby making it possible to separate them.

ECDSA and EdDSA based authorisation + Demo

1 account with 2 keys: EdDSA, ECDSA
1-of-2 multisig → ThresholdKey
Concrete example → Demo!

github.com/hedera-dev/hedera-code-snippets/blob/main/multisig-account

Brendan Graetz | @bguiz | bguiz.com

Demo

github.com/hedera-dev/hedera-code-snippets/blob/main/multisig-account

Brendan Graetz | @bguiz | bguiz.com

Code Walkthrough

    // generate keys
    const edKey = PrivateKey.generateED25519();
    const ecKey = PrivateKey.generateECDSA();

    // create a `ThresholdKey` that represents a 1 of 2 multisig threshold
    const multisigPublicKeys = [edKey.publicKey, ecKey.publicKey];
    const multisigKeyList = new KeyList(multisigPublicKeys, 1);

    // Update account to use this `KeyList`, via an `AccountUpdateTransaction`.
    // This replaces the single signature with a the 1 of 2 multisig
    const makeMultisigTx = new AccountUpdateTransaction()
        .setAccountId(multisigAccountId)
        .setKey(multisigKeyList)
        .freezeWith(client);
    const makeMultisigTxSignedByOneKey = await makeMultisigTx.sign(edKey);
    const makeMultisigTxSubmitted = await makeMultisigTxSignedByOneKey.execute(client);

Brendan Graetz | @bguiz | bguiz.com

    // Sign a `TransferTransaction` using the ECDSA key only,
    // then attempt to execute it
    const transfer1of2EcTx = new TransferTransaction()
        .addHbarTransfer(multisigAccountId, new Hbar(-34))
        .addHbarTransfer(operatorId, new Hbar(34))
        .freezeWith(client);
    const transfer1of2EcTxSigned = await transfer1of2EcTx.sign(ecKey);
    const transfer1of2EcTxSubmitted = await transfer1of2EcTxSigned.execute(client);

Brendan Graetz | @bguiz | bguiz.com

AA EIPs

EIP-2771
EIP-4337
EIP-2938
EIP-3074

Brendan Graetz | @bguiz | bguiz.com

Account abstraction on Ethereum /1

EIP-2771: Secure Protocol for Native Meta Transactions
A contract interface for receiving meta transactions through a trusted forwarder
Introduces the concept of meta-transactions that allow third parties to pay for a user's gas costs without making changes to the Ethereum protocol.

eips.ethereum.org/EIPS/eip-2771

Brendan Graetz | @bguiz | bguiz.com

Account abstraction on Ethereum /2

EIP-4337: Account Abstraction Using Alt Mempool
An account abstraction proposal which completely avoids consensus-layer protocol changes, instead relying on higher-layer infrastructure.
Is the first step towards native smart contract wallet support in a decentralized way without requiring changes to the Ethereum protocol.

eips.ethereum.org/EIPS/eip-4337

Brendan Graetz | @bguiz | bguiz.com

Account abstraction on Ethereum /3

EIP-2938: Account abstraction
An account abstraction proposal which completely avoids consensus-layer protocol changes, instead relying on higher-layer infrastructure.
Aims to update the Ethereum protocol by introducing a new transaction type, AA_TX_TYPE that includes three fields: nonce, target and data, where nonce is a transaction counter, target is the entry point contract address and data is EVM bytecode.

eips.ethereum.org/EIPS/eip-2938

Brendan Graetz | @bguiz | bguiz.com

Account abstraction on Ethereum /4

EIP-3074: AUTH and AUTHCALL opcodes
Allow externally owned accounts to delegate control to a contract.
aims to update Ethereum's externally-owned accounts by allowing them to delegate control to a smart contract.

eips.ethereum.org/EIPS/eip-3074

Brendan Graetz | @bguiz | bguiz.com

What is account abstraction? /1

Core idea: Separate accounts from keys
1-to-1 mapping
Why?
- EOA allows something else to act on its behalf
- Delegate transfer auth

ethereum.org/en/roadmap/account-abstraction

Brendan Graetz | @bguiz | bguiz.com

What is account abstraction? /2

Hedera's account system and network protocol already:
- Allows one account to pay for transaction fees of another (~ EIP-2771)
- Has transactions that include additional fields (~ EIP-2938)
- Supports accounts delegating transaction authorisation to smart contracts (~ EIP-4337, EIP-3074)
So, does Hedera have account abstraction already?

ethereum.org/en/roadmap/account-abstraction

Brendan Graetz | @bguiz | bguiz.com

Now let's contrast these EIPs with Hedera's existing account system - how do they fit together?
I've already mentioned how Hedera accounts are separate from their keys earlier, but let's take a look at this through a different lens.
EIP-2771 allows one account to pay for the transaction fees of another account.
This is something Hedera already supports - its transaction model has a signer account and a submitter account as separate entries on each transaction. The signer account may not need to pay if the submitter account pays for the transaction fees on its behalf.
EIP-2938 approximates to transactions having additional fields.
Hedera has additional fields on its transactions that are needed to support signatures when the account has complex keys (and their resultant authorisation flows)
Finally, EIP-4337 and EIP-3074 - both of these EIPs allow transaction authorisation to be transferred or delegated, by an account, to a smart contract in some manner.
Hedera partially supports this right now, allowing accounts to define complex keys which include not only cryptographic keys, but also smart contract IDs.
So then, here's the big question, based on all of that - does Hedera already have account abstraction?

What is account abstraction? /3

Not yet
Smart contract authorisation
- Only for system contracts
- (AKA precompiles)

ethereum.org/en/roadmap/account-abstraction

Brendan Graetz | @bguiz | bguiz.com

I would say to that, the answer is: Not yet
Pretty close, but still, not yet.
Hedera has a concept that is quite similar to precompiles in Ethereum, called "system contracts"
These system contracts behave like "regular" smart contracts in the sense that they have an address, and you can interface with them through an ABI, but they were never implemented using Solidity, and don't execute on the EVM. Instead they're implemented directly within the core nodes themselves.
For those of you who have compiled software written in one programming language, and needed that to interface with a compiled software library that was written in a different programming language, you're likely to have used a foreign function interface, or FFI.
When working with Hedera system contracts, you can think of their ABIs as being analogous to FFIs.
Coming back to the main topic, at the moment, smart contract based authorisation is restricted to authorising system contract invocations only.
We're not yet able to authorise function invocations on custom smart contracts deployed by any developer.
Right now this seems like it is the last piece of the puzzle
There's an adage that goes: We've completed the first 90%, now it's time to do the last 90% ... I'm sure more than a few of you have heard that before ;)

Smart contract based authorisation

Account with complex keys, constituent sub-keys may be
- ECDSA key
- EdDSA key
- Smart Contract ID!
System contract: Hedera Token Service
Key use case: Smart wallets
Function invocation comes via smart contract in key
- Used for authorising that same transaction

Brendan Graetz | @bguiz | bguiz.com

Alright, let's do a demo to show you this smart contract based authorisation flow in action, where an account has a complex key which contains a smart contract ID
In this demo the account will have a complex key which includes a cryptographic key, and a smart contract ID
Hedera has several system contracts, but the one of note, and the one that we will be interacting with in this demo, is Hedera Token Service, which allows you to create and operate fungible and non-fungible tokens, similar to ERC20s and ERC721s, without actually writing or deploying any smart contracts.
That's another topic in and of itself, but what's relevant in the context of this demo is that you can send tokens around by interacting with this system contract.
As a side note, this is actually a pretty relevant use case for account abstraction, because authorising smart contracts to send tokens around on behalf of an account is a large part of what smart wallets need to do.
And you see smart wallets being mentioned a lot in this context, as a key use case that is enabled through the introduction of account abstraction. In other words, without account abstraction, smart wallets aren't possible, or so goes the implication.
So the Hedera Token Service system contract turns out to be pretty on-point target for this demo.

SC based authorisation + Demo

3 types of key components: EdDSA, ECDSA, Smart Contract ID
1-of-2 multisig → ThresholdKey
Concrete example → Demo!

- github.com/hedera-dev/hedera-code-snippets/blob/main/multisig-sc-account

Brendan Graetz | @bguiz | bguiz.com

Demo

github.com/hedera-dev/hedera-code-snippets/blob/main/multisig-sc-account

Brendan Graetz | @bguiz | bguiz.com

Code Walkthrough

// SPDX-License-Identifier: MIT
pragma solidity 0.8.17;
import "./IHederaTokenService.sol";
contract Account {
    IHederaTokenService hederaTokenService;

    constructor() {
        hederaTokenService = IHederaTokenService(address(0x0167));
    }

    function performPrecompileOperation(
        address token,
        address sender,
        address recipient,
        int64 amount
    ) external {
        int64 responseCode = hederaTokenService.transferToken(
            token, sender, recipient, amount);
        // HederaResponseCodes.SUCCESS = 22
        require(responseCode == 22, "HTS transfer error");
    }
}

Brendan Graetz | @bguiz | bguiz.com

    // Obtain the ID of the deployed smart contract
    const scId = scDeployTxRecord.receipt.contractId;
    console.log('scId', scId.toString());

    // Generate a new ECDSA key
    const ecKey = PrivateKey.generateECDSA();

Brendan Graetz | @bguiz | bguiz.com

    // Create a `ThresholdKey` that represents a 1 of 2 multisig threshold
    // where one of the keys is the smart contract ID, and the other is the ECDSA key
    const multisigPublicKeys = [scId, ecKey.publicKey];
    const multisigKeyList = new KeyList(multisigPublicKeys, 1);

    // Update account to use this `KeyList`, via an `AccountUpdateTransaction`.
    // This replaces the single signature with a the 1 of 2 multisig
    const makeMultisigTx = new AccountUpdateTransaction()
        .setAccountId(multisigAccountId)
        .setKey(multisigKeyList)
        .freezeWith(client);
    const makeMultisigTxSignedByAllKeys = await makeMultisigTx.sign(ecKey);
    const makeMultisigTxSubmitted = await makeMultisigTxSignedByAllKeys.execute(client);

Brendan Graetz | @bguiz | bguiz.com

    // Invoke `Account.performPrecompileOperation` function on the smart contract whose ID is
    // of the `KeyList` of the multisig account
    const scPerformPrecompileTx = new ContractExecuteTransaction()
        .setContractId(scId)
        .setGas(400_000)
        .setFunction(
            'performPrecompileOperation',
            new ContractFunctionParameters()
                .addAddress(toLongZeroEvmAddress(htsFtId))
                .addAddress(multisigAccountEvmAddress.toString())
                .addAddress(toLongZeroEvmAddress(operatorId))
                .addInt64(23),
        )
        .freezeWith(client);
    // NOTE that this transaction is intentionally **unsigned**.
    // This is to verify that the smart contract is also part of `KeyList` of the multisig account
    // does indeed fulfil its role in being able to authenticate the precompile transaction in lieu of a signature.
    const scPerformPrecompileTxSubmitted = await scPerformPrecompileTx.execute(client);

Brendan Graetz | @bguiz | bguiz.com

Enabling AA

Now and future
HIPs
🔮 predictions

Brendan Graetz | @bguiz | bguiz.com

Enabling AA on an EVM-compatible network /1

Now:
- All transactions: m-of-n multisig with cryptographic keys
- System contract transactions: m-of-n multisig with cryptographic keys + smart contract ID
Future:
- All transactions: m-of-n multisig with cryptographic keys + smart contract ID
- Account abstraction?

Brendan Graetz | @bguiz | bguiz.com

What do we have now on Hedera?
Let's think about the various ingredients that one would need to enable account abstraction
What Hedera currently has, is the ability to perform m-of-n multisig transactions natively, using cryptographic key signatures as authorisation
Hedera presently also has the ability to perform m-of-n multisig transactions restricted to system contracts only, using both cryptographic key signatures and smart contract invocation flows as authorisation
But that 2nd one has a restriction, which prevents what I'd consider to be full-blown account abstraction from happening.
The idea is that smart contract authorisation flows should not be restricted to system contracts only - rather they should be able to authorise transactions on any custom smart contract deployed by developers.
So, let's say that that final restriction is indeed removed ... will Hedera then have account abstraction?

Enabling AA on an EVM-compatible network /2

What's needed?

HIP-632
- New hederaAccountService system contract
- New function isAuthorized(address, messageHash, signatureBlob)
HIP-792
- New function isAuthorizedCurrentTransaction()

Brendan Graetz | @bguiz | bguiz.com

But before answering that question, let's quickly go over what would be necessary to remove that final hurdle on Hedera - so let's put a pin in it and come back to it in a bit.
Here are a couple of HIPs - Hedera Improvement Proposals - which are the analogue of EIPs on Hedera.
Links to these are provided at the bottom of these slides
HIP-632 has already been accepted, so it is now a matter of completing the implementation
This proposes a new system contract called Hedera Account Service, which exposes several account-related functions via its ABI
Of note is a function named isAuthorized, into which you pass in a few fields (that you see here) as parameters;
The way that you use isAuthorized would be extremely similar to the ecrecover precompile that you would use on Ethereum. Similar to passing in v, r, & s fields.
This solves the problem to some extent, but it has some limitations, because the EVM does not expose the full transaction data to smart contracts, so you are limited in what you can read from the current transaction
HIP-792 is another proposal to augment that same Hedera Account Service system contract, adding a new function isAuthorizedCurrentTransaction where the client does not need to pass those fields in
instead, those fields are extracted from the current transaction, which you cannot do within smart contracts
System contracts, on the other hand, are capable of doing precisely that
This HIP has just been proposed, and is in draft status at the moment - so caveats apply, and expect things to change radically as a result

Enabling AA on an EVM-compatible network /3

Account abstraction?
Yes
But different
- Protocol level changes vs already baked in
- Community consensus

Brendan Graetz | @bguiz | bguiz.com

Alright, now that we have covered those HIPs which would get over that final hurdle, we can get back to that question asked earlier: Does this mean that Hedera will have account abstraction?
I would say that this is a journey that has been fully trodden by neither Ethereum nor Hedera yet.
Therefore we basically don't know where it will end up in either network.
Based on what is already present on each network, and the approaches that have been proposed and implemented in the various EIPs and HIPs thus far, I think it is safe to draw a couple of conclusions
(1) That both Ethereum and Hedera are going to achieve account abstraction at some point of time in the future - which is great news!
(2) That the way in which each network is going to achieve account abstraction is going to be quite different. The main thrust of the EIPs thus far has been to avoid protocol level changes as much a possible. Whereas with Hedera, some version of those same protocol level changes that these EIPs are avoiding have already been baked right into Hedera's accounts and transactions model, from the get-go ... even prior to any account abstraction considerations. So the community consensus on each network is likely to be quite different.
So that was my crystal ball prediction, which is that account abstraction will be achieved, but is going to be and look quite different between these 2 networks.
Let's check in again a year from now or so, and see how wrong I was in my predictions! ;)

Wrap up

Ingredients for account abstraction → Basics, take 2
Separating cryptographic keys from accounts → Easy(er)
Adding smart contract authorisation → Head(er)
What account abstraction ends up being → Likely to differ between networks

Brendan Graetz | @bguiz | bguiz.com

?   ?
?   ?
?   ?
?????
?   ?
?????
?   ?
?   ?
?   ?

Brendan Graetz | @bguiz | bguiz.com