Nutstash newsletter: #6 deterministic secrets and recovery from seed

Backing up ecash is... hard... it's weird. At least it was!

How does ecash backup work?

Ecash is just data! so the actual ecash can easily be backed up by simply creating a copy of the data and storing it somewhere else. Easy right? Problem solved?
not quite.
The ecash backed up with this scheme is like a "snapshot". But what if you receive more ecash into your wallet? This newly received ecash won't be backed up!
Or even worse: You spend a large token that gives you back a bunch of change. This change is also not backed up!
Damn..... So basically to make this backup scheme work, you have to make a backup after EVERY transaction! This is obviously never gonna happen, so we need a better solution.

The answer is? ...... deterministic secrets

To understand how this works, we need to take a look under the hood of the cashu protocol.
To create ecash, a wallet has to initiate the process by creating two randomly generated (huge) numbers.
r: the blinding factor
x: the secret
we then convert the secret number to a Point on the elliptic curve, by taking it's hash value.
this gives us Y
We then tweak our secret by adding our blinding factors Public Key. This will give us the Blinded message (B_)
In the next step, we send our blinded message to the mint and ask the mint to sign it by multiplying it with k. k represents a private key that the mint controls and is used for only one denomination (for example 1 sat). Usually the mint will only sign if we either destroy another valid ecash token with the same value, or we show proof of payment of a lightning invoice.
After the mint has signed, we can now "unblind" the blind signature C_ with the initial blinding factor r and the mints 1 sat public key K . This will give us C, the signature.
Together with the initial secret x, we can now proof to the mint that they signed x with C, without them being able to correlate it with the blinded message they signed! So, the secret x together with the signature C is what represents the ecash!

deterministic?

So far, the ecash has been created randomly. That's great, but it's impossible to recover. Instead, what we can do is derive the initial numbers from a bip39 seed phrase we all know and love, and use a bip32 derivation path to create unique but recreatable blinded messages. We simply increase a counter for each new secret and blinding factor, and we can generate new numbers deterministically!
In case we lose our wallet, we can now restore the ecash via the seed phrase. We start out by generating a bunch of blinded messages derived from the seed phrase:
Now, we can match our messages against the mints database and download all corresponding blind signatures.
We unblind them with the same scheme as before...
And with the mints help find out which tokens are not spent yet:
If we want to optimize for privacy, we will have to sacrifice some bandwith:
And that's it! that's how we can use a seed phrase to recover lost ecash! Important to know is, that we cannot create a seed phrase after creating the ecash. The seed phrase must come first! or the ecash won't be recoverable.
I've implemented this on cashu-ts now, which is a library that is used in many cashu wallets out there (nutstash, eNuts, cashu.me, minibits ...)! So I think we can expect this feature coming soon TM.
Thanks for reading!
If you want to get into more details, here are the presentation slides: https://det-sec.gandlaf.com
and here is the Pull request: https://github.com/cashubtc/cashu-ts/pull/91
Cheers,
Gandlaf