Derive ETH address from existing pubkey #258
Conversation
|
If the above formula is valid, can we also derive the Bitcoin address from |
|
NACK - Adding various crypto support on a protocol level is unnecessary bloat. Clients could give whatever addresses they want to their users by utilising NIP-06 for example and putting this stuff in kind-0 events if they really wanted to... |
|
I can borrow an account with NFT and publish a signature. However, I dont own that private key.
OK, but it is not important any more. I realized that nostr removed the 02/03 prefix before the 32bytes public key. BTW, I see a relay hard code the '02' prefix: https://github.com/johnny423/pyrelay/blob/0cf683b1ea376c8ee69fd174a9699578bf2cfba6/pyrelay/nostr/event.py#L109 Now #254 is a better solution. |
Not a pro on the cryptography behind it, but I think you are confusing ECDSA and Schnorr... Schnorr public keys are supposed to be 32-bytes. See BIP-340 for more information on this |
Thanks for comment on this. |
|
Wait, it is not over. This NIP aims to display the user's eth address of the current 32bytes private key. However, if we place the eth address in the event, we can verify the correctness of the eth address by two calc: '02'+pubkey or '03'+pubkey. If one of the calculations is equal to the eth address in the event, the address is verified. I'm going to make a new commit to update the PR. |
|
If you publish the address inside an event, you sign it with your private key. Why would you need additional verification? Why does the address need to be derived from your pubkey? You can put any address you control in the event. |
Yes, if we need to put any address we control in a event, a signature is required. To prove you own the address(not using other's signature), it requires to include the signature periodically. If the eth address is from the private key you are using in nostr, every nostr event signature indicates you own the private key. However, you dont need to publish the eth addr in every event. User can choose to reveal their eth address when necessory. Just like we can choose to not upload the profile pic at the beginning. They eth address can be useful, if a user accepts payment, or a relay checks the payment from a user through a eth addressed chain. User may also send their NFT to the eth addr by nostr private key, so the client can show the NFT badges when they are posting or DM or in a group chat. |
|
I still see no reason to a) have a seperate NIP per shitcoin b) derive shitcoin keys from nostr keys. As described earlier clients could use NIP-06 to derive different currency keys as well as a nostr key from a single root key and reveal payment addresses inside kind-0 events. See: #262 |
It depends on their key curve and others. I dont care.
Since the relay can not get the private key, it is hard to verify. Let's make it clear, I'm not a fan of ETH. I love PoW. |
|
@barkyq Thanks for mention. The goal of this proposal is not to derive new private key from existing key. Now, since the address cannot be calcuated, the current suggestion is let the private key owner write down the derived address. The verification of the address needs two round of calc, however it is still acceptable. Waiting for more feedback before revising the markdown. |
Reusing same keys for multiple chain/purposes isn't good for privacy and security... #268 author here 🙏 , tldr; version
Bob is sending 0.1 $COIN to AliceBob Side
Alice side
For ref, there's docs/codes from umbra.js and half baked-half potato blog post from Vitalik Buterin, An incomplete guide to stealth addresses. One down side on ETH/EVM chains if you're sending tokens/nfts, as there's no gas fees in new addr to transfer that out. (*most tokens don't have permit/2 signature feature) Example pseudo/js code based on umbra.js docs.// ---- Bob side
// Alice's public key
// it's better to request fresh pub key and initialize as payment channel
const pubkey = alice.pubkey;
// Generate a random 32 bytes number, or increment last r value as nonce
const randomNumber = new RandomNumber();
// EC Multiply Alice's public key with randomNumber
const newPubKey = pubkey.mulPublicKey(randomNumber);
// Send funds to that new address
console.log('Alice's new address: ', newPubKey.toAddr());
// Transmit `randomNumber` to Alice over encrypted message
// Use ephemeral keys on both sides for privacy to transfer encrypted `randomNumber` value.
// ---- Alice Side
// Received Bob's randomNumber over encrypted message
// Alice's original private key
const privKey = alice.privKey ;
// EC multiply private key with random number from Bob to generate corresponding private key
const newPrivKey = PrivKey.mulPrivateKey(randomNumber);
// Access funds and confirm addresses match
console.log(newPubKey.toAddr() === newPrivKey.toAddr()); // true
console.log('Private key to access received funds: ', newPrivkey); |
I get your point, but the eth address is only used for receiving NFTs. It only transfers OUT when the user decide to abandon the account. Advance cryptography is fancy, but it is not KISS enough. Keep working on that! |
|
Hello all, I updated the PR with a thanks |
|
You really should not do this. To echo what @0xc0de4c0ffee said, its bad for security, you can literally lose your crypto by re-using the same keys with different signature algorithms. |
|
The consensus seems to be that this widens the scope of the protocol too much, and is a bad idea anyway. Maybe an external repository could be created with standards for deriving different kinds of addresses from one another? |
I find a smarter way after PR https://github.com/nostr-protocol/nips/pull/254/files
The solution is from the math.