Key Separation

Background

Traditionally, Operators have used a single key to register on Eigenlayer contracts and participate in consensus within AVSs.

AVSs are networks requiring constant off-chain execution logic, with tasks settled on-chain. This necessitates ongoing automated signing, where operators submit transactions to the AVS contracts, alongside participating in peer-to-peer consensus.

However, using the same key for both AVS registration and consensus poses a security risk. The key must be stored in a potentially vulnerable manner—either as raw text or in an encrypted Keystore file—on the machine performing tasks and submitting on-chain proofs.

To address these security concerns, Othentic introduced Key Separation.

Controller Key

The Controller Key is used only as an ECDSA key:

Register as Operator in Eigenlayer contracts.
Interact with the AVS as Operator:
- Register as Operator in AVSGovernance contract.
- Submit proof-of-tasks to AttestationCenter contract.
- Request rewards from AttestationCenter contract.
- Submit task aggregation result to AttestationCenter contract.

Consensus Key

The Consensus Key is used only as a BLS key. Operators use it to attest task validity/invalidity in the P2P networking layer.

PreviousLiveliness AVS Sample

Last updated 12 days ago