add deterministic NUT-20 quote locking derivation #373

2026-05-21T21:15:44Z

Egge21M commented

2026-05-21 21:15:44 +00:00

(Migrated from github.com)

Summary

Adds deterministic wallet seed derivation guidance for NUT-20 quote locking keys using the Cashu SLIP-0044 coin type and a NUT-20-specific BIP32 path.

Updates the NUT-20 test vectors with the first five derived compressed secp256k1 public keys for the documented mnemonic.

Validation

Compared Egge21M:nut-20-locking against cashubtc/nuts:main with the GitHub connector: 1 commit ahead, 0 behind
Reviewed the local diff for 20.md and tests/20-test.md
No local test runner or workflow config is present in this checkout

## Summary Adds deterministic wallet seed derivation guidance for NUT-20 quote locking keys using the Cashu SLIP-0044 coin type and a NUT-20-specific BIP32 path. Updates the NUT-20 test vectors with the first five derived compressed secp256k1 public keys for the documented mnemonic. ## Validation - Compared `Egge21M:nut-20-locking` against `cashubtc/nuts:main` with the GitHub connector: 1 commit ahead, 0 behind - Reviewed the local diff for `20.md` and `tests/20-test.md` - No local test runner or workflow config is present in this checkout

callebtc (Migrated from github.com) reviewed

2026-05-21 21:35:42 +00:00

20.md

					
				@ -39,6 +39,26 @@ with the requested `amount`,`unit`, and `description` according to [NUT-04][04].

				>

wut

Egge21M (Migrated from github.com) reviewed

2026-05-21 22:00:08 +00:00

20.md

					
				@ -39,6 +39,26 @@ with the requested `amount`,`unit`, and `description` according to [NUT-04][04].

				>

Fixed :)

robwoodgate commented

2026-05-29 12:31:56 +00:00

(Migrated from github.com)

As per my comment on the related deterministic P2PK key spec ( #331 ), unless there is an overwhelmingly strong reason to use BIP32, then a HMAC-SHA256 KDF is much faster, unless BIP-32 is carefully handled.

Pattern                                          Cost/key   vs HMAC
HMAC-SHA256                                       ~165 µs    1.0×
BIP-32 parent-cached, HDKey.publicKey             ~172 µs    1.0×    natural restore-loop code
BIP-32 master-cached, full path per derive        ~862 µs    5.2×    natural single-derive code
BIP-32 cold, no caching                          ~1216 µs    7.4×    worst case

As [per my comment](https://github.com/cashubtc/nuts/pull/331#pullrequestreview-4380936838) on the related deterministic P2PK key spec ( #331 ), unless there is an overwhelmingly strong reason to use BIP32, then a HMAC-SHA256 KDF is much faster, unless BIP-32 is carefully handled. ``` Pattern Cost/key vs HMAC HMAC-SHA256 ~165 µs 1.0× BIP-32 parent-cached, HDKey.publicKey ~172 µs 1.0× natural restore-loop code BIP-32 master-cached, full path per derive ~862 µs 5.2× natural single-derive code BIP-32 cold, no caching ~1216 µs 7.4× worst case ```

robwoodgate commented

2026-05-29 16:14:21 +00:00

(Migrated from github.com)

I have proposed a HMAC-SHA256 KDF derived alternative, which would close this PR

I have proposed a [HMAC-SHA256 KDF derived alternative](https://github.com/cashubtc/nuts/pull/384), which would close this PR

Egge21M commented

2026-05-30 07:51:00 +00:00

(Migrated from github.com)

I have proposed a HMAC-SHA256 KDF derived alternative, which would close this PR

Iirc this has been discussed in the past in Leitos original PR for P2PK locking keys. Using BIP32 might be a tad slower, but it leaves the possibility to build something with the extended public keys. Imagine a watch-only wallet for mint quotes

> I have proposed a [HMAC-SHA256 KDF derived alternative](https://github.com/cashubtc/nuts/pull/384), which would close this PR Iirc this has been discussed in the past in Leitos original PR for P2PK locking keys. Using BIP32 might be a tad slower, but it leaves the possibility to build something with the extended public keys. Imagine a watch-only wallet for mint quotes

robwoodgate commented

2026-05-30 08:28:06 +00:00

(Migrated from github.com)

I have proposed a HMAC-SHA256 KDF derived alternative, which would close this PR

Iirc this has been discussed in the past in Leitos original PR for P2PK locking keys. Using BIP32 might be a tad slower, but it leaves the possibility to build something with the extended public keys. Imagine a watch-only wallet for mint quotes

Yeah, am not convinced it would not be a huge linkability issue compromising privacy. I mentioned it in my replacement pr

> > I have proposed a [HMAC-SHA256 KDF derived alternative](https://github.com/cashubtc/nuts/pull/384), which would close this PR > > > > Iirc this has been discussed in the past in Leitos original PR for P2PK locking keys. Using BIP32 might be a tad slower, but it leaves the possibility to build something with the extended public keys. Imagine a watch-only wallet for mint quotes Yeah, am not convinced it would not be a huge linkability issue compromising privacy. I mentioned it in my replacement pr

a1denvalu3 (Migrated from github.com) approved these changes

2026-06-07 20:35:05 +00:00

This pull request can be merged automatically.

You are not authorized to merge this pull request.

View command line instructions

Checkout

From your project repository, check out a new branch and test the changes.

git fetch -u origin Egge21M/nut-20-locking:Egge21M/nut-20-locking

git switch Egge21M/nut-20-locking

Merge

Merge the changes and update on Forgejo.

Warning: The "Autodetect manual merge" setting is not enabled for this repository, you will have to mark this pull request as manually merged afterwards.

git switch main

git merge --no-ff Egge21M/nut-20-locking

git switch Egge21M/nut-20-locking

git rebase main

git switch main

git merge --ff-only Egge21M/nut-20-locking

git switch Egge21M/nut-20-locking

git rebase main

git switch main

git merge --no-ff Egge21M/nut-20-locking

git switch main

git merge --squash Egge21M/nut-20-locking