feat: opt-in v2 Argon2+HKDF encryption for multisig and MPC flows

[pranavjain97]

Summary

Wire v2 encryption (Argon2id + AES-256-GCM + HKDF session caching) into wallet creation and signing call sites across multisig, DKLS MPCv2, and EdDSA flows.

• Opt-in via encryptionVersion: 2 on wallet/key creation
• Signing auto-detects v1/v2 from the envelope
• Default stays v1 -- zero breaking changes
• decryptKeychainPrivateKey made async to support v1/v2 auto-detection in signing paths

Live Node.JS Testing (testnet)

All flows tested end-to-end on testnet with real transactions:

Operation	v1 (SJCL/PBKDF2)	v2 (Argon2id+HKDF)	Delta
EdDSA wallet creation (tsol)	6.02s	5.53s	-8%
ECDSA MPCv2 wallet creation (hteth)	8.57s	7.92s	-8%
Multisig wallet creation (tbtc)	2.53s	2.43s	-4%
EdDSA signing (tsol)	11.64s	11.06s	-5%
ECDSA MPCv2 signing (hteth)	10.23s	11.02s	+8%

v2 wallet creation is consistently faster due to HKDF session caching. Signing is roughly equivalent -- network round trips dominate.

Test plan

• sdk-api unit tests (162 passing)
• sdk-core unit tests (163 passing)
• Codec validation tests for Lightning/GoAccount with encryptionVersion
• E2e tests for DKLS and EdDSA keygen with v2 envelopes
• Live testnet: EdDSA TSS wallet creation + signing (tsol)
• Live testnet: ECDSA MPCv2 wallet creation + signing (hteth)
• Live testnet: Multisig wallet creation + decrypt verification (tbtc)
• CI

TICKET: WCN-32

[linear]

WCN-32 Opt-in v2 Argon2+HKDF encryption for multisig, DKLS MPCv2, and EdDSA flows

[pranavjain97]

Wallet sharing to be done as a separate ticket.

[zahin-mohammad]

Review Summary

After multiple validation rounds with parallel reviewers (architect, crypto, call-site tracer, test-gap, devil's-advocate, consensus-checker), REQUEST CHANGES with two blockers and a focused set of inline comments.

---

Blockers

B1. No breaking-change marker on commits. None of the 7 commits on this PR carry feat!:, fix!:, or a BREAKING CHANGE: footer. lerna publish --conventional-commits (Angular preset) requires one of those for a major bump. Result: @bitgo/sdk-core will publish a minor bump despite IWallet.getUserPrv and decryptKeychainPrivateKey changing from sync string returns to Promise<string>. Downstream JS / non-strict-TS consumers will silently get a Promise where they expect a string. The repo's Check breaking changes CI job only diffs OpenAPI specs from modules/express — it does not guard SDK type signatures, so this is a code-review responsibility entirely. Fix: add a BREAKING CHANGE: footer to commit 36c78cd (or a follow-up commit) describing the async return-type change so lerna bumps sdk-core to a major version on publish.

B2. Sync v1 decrypt fan-out callers not converted, no follow-up tickets linked. A v2-encrypted wallet that flows into any of these sites hard-throws with a confusing SJCL tag-mismatch error. Blast radius is bounded today (v2 is opt-in), but every client that opts into v2 will trip at least one of these in normal usage:

• modules/sdk-core/src/bitgo/baseCoin/baseCoin.ts:647 — assertIsValidKey calls sjcl.decrypt directly
• modules/abstract-utxo/src/recovery/crossChainRecovery.ts:316 — sync decrypt(passphrase, encryptedPrv)
• modules/sdk-core/src/bitgo/recovery/initiate.ts:112 — bitgo.decrypt (affects EOS/TRX/STX/XRP/UTXO backup-key recovery)
• modules/sdk-core/src/bitgo/utils/tss/ecdsa/ecdsa.ts:567, 601 — non-MPCv2 ECDSA offline signing rounds
• modules/sdk-core/src/bitgo/keychain/keychains.ts:170 — updateSingleKeychainPassword
• modules/sdk-core/src/bitgo/keychain/keychains.ts:354-364 — recreateMpc (three sync decrypts)
• modules/sdk-core/src/bitgo/trading/tradingAccount.ts:72 — OFC payload signing
• modules/sdk-core/src/bitgo/wallet/wallets.ts (acceptShare / reshareWalletWithSpenders) — explicitly deferred per the PR comment

Fix options (any one): (a) convert each path to decryptAsync in this PR; (b) link follow-up tickets in the PR description for each path; (c) add a v2-opt-in guard at wallet creation that fails fast on these callers with a clear "v2 wallet operations require WCN-XX" error rather than letting SJCL surface a misleading tag-mismatch.

---

Major findings

See inline comments below.

---

Test coverage gap (not blocking, but please address)

The useV2 dispatch branches in createOfflineRound{1,2,3}Share (MPCv2) and getUserToBitgoCommitment / decryptRShare (EdDSA) currently have zero unit-test coverage. CI is green on the v2 dispatch only because no test exercises the branch — the live testnet runs in the PR description don't substitute for unit-level branch coverage. Please add at least one v2 signing-path test per coin family.

Separately: modules/bitgo/test/unit/decryptKeychain.ts (5 sync call sites) was not updated for the new async signature. The test runner uses tsx (no type-check), so this is not a CI break — but the assertions now run against a Promise object. Either the file silently fails to load and is skipped, or it asserts against a Promise and that's masked by the cdn=true reporter option. Either way the file no longer validates the function. Please add await and make the test functions async.

---

What was retracted from earlier review rounds

For the record:

• "CI will fail to compile" — wrong; tsx strips types. The decryptKeychain test file is a silent no-op, not a build break.
• "MPCv2 signing creates 3× Argon2id per signing" — wrong; each round is a separate HTTP request lifecycle, so cross-round session sharing is structurally impossible without server-side session storage.
• The v2 adata drop is documented design intent per commit 22bab61c (AES-GCM is self-authenticating). The narrower remaining concern (cross-round replay binding) is captured in the inline comment on ecdsaMPCv2.ts below.

---

Nits

• isV2Envelope is duplicated verbatim in ecdsaMPCv2.ts and eddsa.ts — extract to a shared util.
• decryptAsync falls through to v1 SJCL on unknown future versions (v: 3+). Should fail closed with Error('unknown envelope version').
• No JSDoc on EncryptOptions.adata warning that it's silently dropped when encryptionVersion: 2.

[zahin-mohammad]

Major — use a named alias. A bare literal 2 makes encryptionVersion: 1 a type error, even though v1 is the current default — so callers forwarding from a generic config ({ encryptionVersion: cfg.version }) need a cast. Suggest:

export type EncryptionVersion = 1 | 2;

export interface EncryptOptions {
  input: string;
  password?: string;
  adata?: string;
  encryptionVersion?: EncryptionVersion;
}

This prepares for v3 without a hunt-and-replace across the 8+ option types where the field appears (GenerateWalletOptions, GenerateMpcWalletOptions, CreateMpcOptions, CreateBackupOptions, CreateKeychainParamsBase, etc.). Also: adata should get a JSDoc note that it is silently dropped when encryptionVersion === 2 — see the inline comment on BitGoAPI.encryptAsync.

[zahin-mohammad]

Major — extract a named IEncryptionSession. The anonymous inline return type is repeated 4+ times across the PR (ecdsaMPCv2.ts addUserKeychain/addBackupKeychain parameter types, eddsa.ts session usage, etc.). EncryptionSession already exists as a class in modules/sdk-api/src/encryptionSession.ts. The structural problem is that sdk-core can't import from sdk-api (circular). Fix: declare an IEncryptionSession interface in modules/sdk-core/src/api/types.ts, export it from sdk-core/src/index.ts, and have both this interface and the EncryptionSession class in sdk-api reference it.

Without this, no external SDK consumer can write let session: ??? with a proper type import.

[zahin-mohammad]

Major — params.adata is silently dropped on the v2 path. v1 forwards adata to sjcl.encrypt; v2 calls encryptV2(password, input) with no AAD. Two consequences:

1. Callers passing adata get false confidence that AAD is bound — it is not.
2. In ecdsaMPCv2.ts, the v1 path uses adata = ${hashBuffer}:${derivationPath} to bind the encrypted round-session to the transaction context (validateAdata enforces the binding). The v2 path has no equivalent (see inline comment on ecdsaMPCv2.ts line 1242).

v2's AES-GCM is self-authenticating for the ciphertext — but doesn't replicate the transaction-context binding unless AAD is threaded through encryptV2 envelopes. Fix: add an additionalData?: string option to encryptV2/aesGcmEncrypt, store it in the v2 envelope, and verify in decryptV2. Or, at minimum, throw if params.adata is set and encryptionVersion === 2 so the silent drop becomes a loud error.

[zahin-mohammad]

Major — accepted but never read. EcdsaUtils.createKeychains (non-MPCv2 ECDSA) declares encryptionVersion?: 2 in its param type, but the function body never references it — createParticipantKeychain (line 299) still calls this.bitgo.encrypt(...) synchronously. Result: a caller that passes encryptionVersion: 2 to a non-MPCv2 ECDSA wallet gets v1 silently.

Fix: either thread encryptionVersion through createParticipantKeychain (mirroring the MPCv2 pattern), or remove the field from the param type if non-MPCv2 ECDSA is not in scope for v2 in this PR.

[zahin-mohammad]

Major — separate Argon2id session per keychain. createUserKeychain (line 200) and createBackupKeychain (line 295) each create their own createEncryptionSession for one encryption then immediately destroy(). Since both run in parallel via Promise.all (line 397/407 of createKeychains), Argon2id is computed twice unnecessarily.

EcdsaMPCv2Utils.createKeychains does this correctly: a single shared session created in the parent function and threaded into both addUserKeychain and addBackupKeychain. Please mirror that pattern here — create one session in createKeychains, pass it into both children, destroy() it in finally. Saves one full Argon2id derivation per keygen.

[zahin-mohammad]

Major / defense-in-depth — v2 path skips transaction-context binding. The v1 path (this.validateAdata(adata, encryptedRound1Session) on line 1246) binds the encrypted round-session to ${hashBuffer}:${derivationPath}, preventing replay across different transaction signing contexts. The v2 branch above (line 1242) has no equivalent.

GCM's authentication tag covers the ciphertext, but does not bind the session to a specific transaction — that property was provided by adata in v1. AAD support needs to be threaded through encryptV2 / EncryptionSession envelopes (see inline on BitGoAPI.encryptAsync), or the v2 round-session needs a different binding mechanism, or the relaxation needs to be documented as accepted security trade-off (with rationale for why round-session replay is not a concern for ephemeral signing keys).

This is also relevant for line 1337 (round-3 path).

Note: Zhongxi's HSM-1513 work (commits e3bc07cbf6 / d531ed2802 on a separate branch) adds round domain separators to v1 adata. v2 should get the equivalent before this lands.

[zahin-mohammad]

Blocker — breaking-change commit marker missing. This signature change (string → Promise<string>) is a public-API break for @bitgo/sdk-core consumers. IWallet is exported from the package barrel; downstream JS / non-strict-TS callers who do const prv = wallet.getUserPrv(opts); signTransaction({ prv }) will silently pass a Promise<string> to the signer.

lerna publish --conventional-commits (Angular preset) only triggers a major bump on feat!: / fix!: / BREAKING CHANGE: footer. None of the 7 commits on this PR carry that marker, so sdk-core will publish under a minor bump. The repo's Check breaking changes CI job is OpenAPI-only and does not catch SDK type-signature changes.

Fix: add a follow-up commit (or rewrite 36c78cd) with body:

BREAKING CHANGE: IWallet.getUserPrv now returns Promise<string> instead of string.
Callers must await the result.

Same applies to the decryptKeychainPrivateKey export — see inline on decryptKeychain.ts.

[zahin-mohammad]

Blocker — same as IWallet.getUserPrv. This is a named public export of @bitgo/sdk-core. The async signature change requires a BREAKING CHANGE: footer so lerna bumps the package to a major version on publish. Without it the published package will be a minor bump and downstream callers in untyped JS / non-strict TS will silently get a Promise where they expect a string | undefined.

Fix: roll into the same BREAKING CHANGE: footer as getUserPrv (or split into a separate footer). Suggest:

BREAKING CHANGE:
- IWallet.getUserPrv now returns Promise<string> (was string)
- decryptKeychainPrivateKey now returns Promise<string | undefined> (was string | undefined)
All callers must await the result.

Also note: modules/bitgo/test/unit/decryptKeychain.ts (5 sync decryptKeychainPrivateKey calls at lines 18, 36, 55, 74, 78) was not updated — see the summary for details. Please add await and make the test functions async so the file actually validates the new behavior.