Skip to main content


Introduction to the philosophy and account roles related to key management on Celo.


Crypto is a tool for turning a whole swathe of problems into key management problems. Key management problems are way harder than (virtually all) cryptographers think.

@LeaKissner on Twitter


The Celo protocol was designed with the understanding that there is often an inherent tradeoff between the convenience of accessing a private key and the security with which that private key can be custodied. In general Celo is unopinionated about how keys are custodied, but also allows users to authorize private keys with specific, limited privileges. This allows users to custody each private key according to its sensitivity (i.e. what is the impact of this key being lost or stolen?) and usage patterns (i.e. how often and under which circumstances will this key need to be accessed).


The table below outlines a summary of the various account roles in the Celo protocol. Note that these roles are often mutually exclusive. An account that has been designated as one role can often not be used for a different purpose. Also note that under the hood, all of these accounts) are based on secp256k1 ECDSA private keys with the exception of the BLS signer. The different account roles are simply a concept encoded into the Celo proof-of-stake smart contracts, specifically Accounts.sol.

For more details on a specific key type, please see the more detailed sections below.

RoleDescriptionLedger compatible
Celo AccountAn account used to send transactions in the Celo protocolYes
Locked Gold AccountUsed to lock and unlock CELO and authorize signersYes
Authorized vote signerCan vote on behalf of a Locked Gold AccountYes
Authorized validator (group) signerCan register and manage a validator group on behalf of a Locked Gold AccountYes
Authorized validator signerCan register, manage a validator, and sign consensus messages on behalf of a Locked Gold AccountNo
Authorized validator BLS signerUsed to sign blocks as a validatorNo
Authorized attestation signerCan sign attestation messages on behalf of a Locked Gold accountNo

A Locked Gold Account may have at most one authorized signer of each type at any time. Once a signer is authorized, the only way to deauthorize that signer is to authorize a new signer that has never previously been used as an authorized signer or Locked Gold Account. It follows then that a newly deauthorized signer cannot be reauthorized.