From 46a4d95fb49ac304d1ba7b7cfdd646fbbb6b4a5a Mon Sep 17 00:00:00 2001 From: Arman The Parman <77603167+ArmanTheParman@users.noreply.github.com> Date: Tue, 18 Jun 2024 22:45:04 +1000 Subject: [PATCH] public key extra compression info Important notes about extra pubkey compression used in Nostr --- 06.md | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/06.md b/06.md index 0e50254..29661ca 100644 --- a/06.md +++ b/06.md @@ -10,10 +10,16 @@ Basic key derivation from mnemonic seed phrase [BIP32](https://bips.xyz/32) is used to derive the path `m/44'/1237'/'/0/0` (according to the Nostr entry on [SLIP44](https://github.com/satoshilabs/slips/blob/master/slip-0044.md)). -A basic client can simply use an `account` of `0` to derive a single key. For more advanced use-cases you can increment `account`, allowing generation of practically infinite keys from the 5-level path with hardened derivation. +A basic client can simply use an `account` of `0` to derive a single key. For more advanced use-cases you can increment `account`, allowing the generation of practically infinite keys from the 5-level path with hardened derivation. -Other types of clients can still get fancy and use other derivation paths for their own other purposes. +Other types of clients may choose to get fancy and use other derivation paths for their own alternative purposes. +Nostr public keys have extra compression compared to Bitcoin compressed public keys, meaning that the y-coordinate is not only omitted, but parity is not even indicated with the '03'(odd), nor '02' (even) prefixes. In other words, only the x-coordinate is included without any extra prefix marker. This matters in three contexts (there may be others): + - When borrowing code from Bitcoin public/private key cryptography. This will likely output public keys with a 02/03 prefix (compressed) or 04 (uncompressed), which needs to be removed. + - Conversion of a public key, to bech32. The pure x-coordinate value without prefix must be used as the input, not a compressed public key. + - Verification. The calculation of BOTH y-coordinate possibilities from the supplied x-coordinate is required, in order to check the signature against both versions of full public keys(x,y) - only one y-coordinate will be valid when verification passes. + + ### Test vectors mnemonic: leader monkey parrot ring guide accident before fence cannon height naive bean\