pull down to refresh

Nutstash newsletter: #6 deterministic secrets and recovery from seed
312 sats \ 0 comments \ @supratic 4 Oct 2023 bitcoin
zaps forwarded to @gandlaf21 (50%)

https://imagedelivery.net/wyrwp3c-j0gDDUWgnE7lig/7a527fd9-e3c8-490b-88c4-b6167ed4b200/public

Nutstash newsletter: #6 deterministic secrets and recovery from seedNutstash newsletter: #6 deterministic secrets and recovery from seed

#bob-space

Backing up ecash is... hard... it's weird. At least it was!

How does ecash backup work?How does ecash backup work?

Ecash is just data! so the actual ecash can easily be backed up by simply creating a copy of the data and storing it somewhere else. Easy right? Problem solved?

not quite.

The ecash backed up with this scheme is like a "snapshot". But what if you receive more ecash into your wallet? This newly received ecash won't be backed up!

Or even worse: You spend a large token that gives you back a bunch of change. This change is also not backed up!

Damn..... So basically to make this backup scheme work, you have to make a backup after EVERY transaction! This is obviously never gonna happen, so we need a better solution.

The answer is? ...... deterministic secretsThe answer is? ...... deterministic secrets

To understand how this works, we need to take a look under the hood of the cashu protocol.

To create ecash, a wallet has to initiate the process by creating two randomly generated (huge) numbers.

r: the blinding factor

x: the secret

we then convert the secret number to a Point on the elliptic curve, by taking it's hash value.

this gives us Y

https://imagedelivery.net/wyrwp3c-j0gDDUWgnE7lig/380f13e9-9345-4f75-a7da-72d1adc78800/public

We then tweak our secret by adding our blinding factors Public Key. This will give us the Blinded message (B_)

https://imagedelivery.net/wyrwp3c-j0gDDUWgnE7lig/53082cd6-67c7-442d-f0fd-0fe573e60500/public

In the next step, we send our blinded message to the mint and ask the mint to sign it by multiplying it with k. k represents a private key that the mint controls and is used for only one denomination (for example 1 sat). Usually the mint will only sign if we either destroy another valid ecash token with the same value, or we show proof of payment of a lightning invoice.

https://imagedelivery.net/wyrwp3c-j0gDDUWgnE7lig/fa654de9-02b3-4d23-8d46-6273ed5f3a00/public

After the mint has signed, we can now "unblind" the blind signature C_ with the initial blinding factor r and the mints 1 sat public key K . This will give us C, the signature.

https://imagedelivery.net/wyrwp3c-j0gDDUWgnE7lig/18dab701-5d6f-411b-424d-ac06a9800c00/public

Together with the initial secret x, we can now proof to the mint that they signed x with C, without them being able to correlate it with the blinded message they signed! So, the secret x together with the signature C is what represents the ecash!

https://imagedelivery.net/wyrwp3c-j0gDDUWgnE7lig/a4d16c73-abf1-4adf-0d96-9b9415691d00/public

deterministic?deterministic?

So far, the ecash has been created randomly. That's great, but it's impossible to recover. Instead, what we can do is derive the initial numbers from a bip39 seed phrase we all know and love, and use a bip32 derivation path to create unique but recreatable blinded messages. We simply increase a counter for each new secret and blinding factor, and we can generate new numbers deterministically!

https://imagedelivery.net/wyrwp3c-j0gDDUWgnE7lig/79c3326f-e0eb-4015-c4c6-9018f22cf200/public

In case we lose our wallet, we can now restore the ecash via the seed phrase. We start out by generating a bunch of blinded messages derived from the seed phrase:

https://imagedelivery.net/wyrwp3c-j0gDDUWgnE7lig/cf62abaa-2231-4d0a-b151-9ae9215a3200/public

Now, we can match our messages against the mints database and download all corresponding blind signatures.

https://imagedelivery.net/wyrwp3c-j0gDDUWgnE7lig/b10994bd-5105-48fa-7e9e-b2a4082a0100/public

We unblind them with the same scheme as before...

https://imagedelivery.net/wyrwp3c-j0gDDUWgnE7lig/0b8358a6-dd17-49e6-fef8-79989a89a700/public

And with the mints help find out which tokens are not spent yet:

https://imagedelivery.net/wyrwp3c-j0gDDUWgnE7lig/dde5d2c2-5cc0-4bbe-edd9-2740e29cf400/public

If we want to optimize for privacy, we will have to sacrifice some bandwith:

https://imagedelivery.net/wyrwp3c-j0gDDUWgnE7lig/b57401f9-595d-4262-5e58-6afd61db9c00/public

And that's it! that's how we can use a seed phrase to recover lost ecash! Important to know is, that we cannot create a seed phrase after creating the ecash. The seed phrase must come first! or the ecash won't be recoverable.

I've implemented this on cashu-ts now, which is a library that is used in many cashu wallets out there (nutstash, eNuts, cashu.me, minibits ...)! So I think we can expect this feature coming soon TM.

Thanks for reading!

If you want to get into more details, here are the presentation slides: https://det-sec.gandlaf.com

and here is the Pull request: https://github.com/cashubtc/cashu-ts/pull/91

Cheers,

Gandlaf

write
preview
related posts