Fix/nut13 restore legacy derivation#1754
Open
Forte11Cuba wants to merge 2 commits intocashubtc:mainfrom
Open
Conversation
Contributor
|
NAK. I was aware of this problem and I think we can ignore it, because the main wallets are all up-to-date and equipped for the v2 keysets rollout, so there is not going to be any instance of wallets wrongly using the v1 derivation for the v2 keysets (as the spec wants to account for) |
Collaborator
|
Per discussion we said we would remove this from the spec, will leave this open as reference until that happens. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Description
Per NUT-13, when performing a restore for version
01keysets, wallets MUST check secrets derived with both BIP32 legacy and HMAC-SHA256 derivation methods. Currently,restore_batch()only generates HMAC-SHA256 blinded messages for01keysets, causing incomplete restores when recovering proofs originally created with BIP32 derivation by older wallets.This PR:
restore_batch()to generate dual derivation (BIP32 legacy first, then HMAC-SHA256) for01keysetsfrom_seed_batch()for saga replay paths that need single derivation with 1:1 signature correspondencefn restore()for the 2:1 output-to-counter ratio on01keysetsfrom_seed_batch()to prevent vector length mismatchNotes to the reviewers
The key distinction is between restore/discovery (
restore_batch) and replay of known operations (from_seed_batch):restore_batch()— sends blinded messages to the mint to discover unknown proofs. For01keysets, must try both derivations since we don't know which was used originally.from_seed_batch()— re-derives secrets for replaying our own wallet's operations (swap/issue saga recovery). These always usedfrom_seed()which picks a single derivation per version, so 1:1 correspondence with signatures is required.The
legacy_derive()methods already existed and were functional they just were never called forVersion01during restore.Suggested CHANGELOG Updates
CHANGED
ADDED
PreMintSecrets::from_seed_batch()for re-deriving blinded messages with single derivation per keyset versionREMOVED
FIXED
restore_batch()now generates both BIP32 legacy and HMAC-SHA256 blinded messages for01keysets during restore, per NUT-13 spec requirementChecklist
just final-checkbefore committing