You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: 00.md
-11Lines changed: 0 additions & 11 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -95,11 +95,6 @@ A `Proof` is also called an _input_ and is generated by `Alice` from a `BlindSig
95
95
96
96
`amount` is the amount of the `Proof`, `secret` is the secret message and is a utf-8 encoded string (the use of a 64 character hex string generated from 32 random bytes is recommended to prevent fingerprinting), `C` is the unblinded signature on `secret` (hex string), `id` is the [keyset id][02] of the mint public keys that signed the token (hex string).
97
97
98
-
> [!NOTE]
99
-
> A proof may optionally be extended by other NUTs. These include:
100
-
>
101
-
> -[NUT-28][28]: Pay-to-Blinded-Key - adds `"p2pk_e": hex_str` to store an ephemeral pubkey
102
-
103
98
## 0.2 - Protocol
104
99
105
100
### Errors
@@ -282,11 +277,6 @@ If a short keyset ID resolves to more than one known full keyset ID, the identif
282
277
283
278
The mint is unaware of the `s_id`. All API endpoints exposed by the mint use the full keyset ID.
284
279
285
-
> [!NOTE]
286
-
> The token format may optionally be extended by other NUTs. These include:
287
-
>
288
-
> -[NUT-28][28]: Pay-to-Blinded-Key - adds `"pe": bytes` to individual proofs
289
-
290
280
##### Example
291
281
292
282
Below is a TokenV4 JSON before CBOR and `base64_urlsafe` serialization.
Copy file name to clipboardExpand all lines: 28.md
+9-9Lines changed: 9 additions & 9 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -10,19 +10,17 @@
10
10
11
11
This NUT describes Pay-to-Blinded-Key (P2BK), which extends the [NUT-11][11] (P2PK) spending conditions. By implication, it also extends [NUT-14][14] (HTLC).
12
12
13
-
P2BK preserves privacy by blinding each NUT-11 receiver pubkey `P` with an ECDH-derived scalar `rᵢ`. Both sides can deterministically derive the same `rᵢ` from their own keys, but a third party cannot.
14
-
15
-
This brings _"silent payments"_ to Cashu: Proofs can be locked to a well known public key, posted in public without compromising privacy, and spent by the recipient without needing any side-channel communication.
13
+
P2BK preserves privacy by blinding each NUT-11 receiver pubkey `P` with an ECDH-derived scalar `rᵢ`. Both sides can deterministically derive the same `rᵢ` from their own keys, but a third party cannot. This improves user privacy by preventing the mint from linking multiple P2PK spends by the same party.
16
14
17
15
## ECDH Shared Secret (Zx)
18
16
19
-
ECDH allows two parties to create an x-coordinate shared secret (`Zx`) by combining their private key with the public key of the other party: `Zx = x(epG) = x(eP) = x(pE)`.
17
+
Elliptic-curve Diffie–Hellman (ECDH) allows two parties to create an x-coordinate shared secret (`Zx`) by combining their private key with the public key of the other party: `Zx = x(epG) = x(eP) = x(pE)`.
20
18
21
19
For P2BK, the sender creates an ephemeral keypair (private key: `e`, public key: `E`). This protects the privacy of their own long-lived public key. They then calculate the shared secret by combining the ephemeral private key (`e`) and the receiver's long-lived public key (`P`).
22
20
23
-
The receiver calculates the same shared secret using their private key (`p`) and the ephemeral public key (`E`), which is supplied by the sender in the [proof metadata](#proof-object-extension).
21
+
The receiver calculates the same shared secret `Zx`using their private key (`p`) and the ephemeral public key (`E`), which is supplied by the sender in the [proof metadata](#proof-object-extension).
24
22
25
-
This shared secret is then used to derive the blinded public keys.
23
+
The shared secret`Zx` is then used to derive the blinded public keys.
26
24
27
25
## Deriving Blinded Public Keys
28
26
@@ -61,7 +59,9 @@ Finally, the public key (`P`) for slot `i` is blinded (`P'`) as follows:
61
59
P' = P + rᵢG
62
60
```
63
61
64
-
Here is a code example in TypeScript:
62
+
### Example
63
+
64
+
Below is an example implementation in TypeScript.
65
65
66
66
```ts
67
67
function deriveP2BKBlindingTweakFromECDH(
@@ -105,7 +105,7 @@ Each proof adds a single new metadata field:
105
105
"id": hex_str,
106
106
"secret": str, // still ["P2PK", {...}]
107
107
"C": hex_str,
108
-
"p2pk_e": hex_str // 33-byte SEC1 compressed ephemeral public key E
108
+
"p2pk_e": hex_str //NEW: 33-byte SEC1 compressed ephemeral public key E
109
109
}
110
110
```
111
111
@@ -118,7 +118,7 @@ Each proof adds a single new metadata field:
118
118
119
119
With P2BK, the NUT-11 public locking keys are permanently blinded. The mint sees only the blinded public keys, and expects signatures from the corresponding private key.
120
120
121
-
The receiver must therefore derive the correct blinded private key. Because BIP-340 lifts public keys to even-Y parity, there are two possible derivation paths:
121
+
The receiver must therefore derive the correct blinded private key (`k`). Because BIP-340 lifts public keys to even-Y parity, there are two possible derivation paths:
0 commit comments