NUT-XX: Get quotes by pubkeys#341
Conversation
robwoodgate
left a comment
robwoodgate
left a comment
There was a problem hiding this comment.
The signature scheme is a bit worrying, but otherwise just some nit/questions for clarity.
| - `pubkeys` is an array of hex-encoded compressed secp256k1 NUT-20 public keys (33 bytes each) | ||
| - `pubkey_signatures` is an array of hex-encoded Schnorr signatures on `pubkeys` in the same order (64 bytes each) | ||
|
|
||
| The wallet **MUST** provide a valid signature in `pubkey_signatures` for each public key in `pubkeys` with the corresponding private key in the same order as the `pubkeys` array. The message to sign is the byte representation of the public key. |
There was a problem hiding this comment.
I think signature on the plain public key is pretty risky, as it allows signature replay in any "proof of key ownership" context, or even for future uses on other endpoints and other mints.
It would be better defined as a signature on a domain separated message like we do in P2BK / keyset v2
eg: SHA-256( b"Cashu_NUTXX_QUOTE_v1" || MINT_URL || method || pubkey )
or
eg: SHA-256( b"Cashu_NUTXX_QUOTE_v1" || NONCE || pubkey )
where NONCE is a random shared nonce, supplied in a nonce param:
{
"pubkeys": <Array[str]>,
"pubkey_signatures": <Array[str]>,
"nonce": str
}
)
| "quotes": <Array[MintQuoteResponse]> | ||
| } | ||
| ``` | ||
|
|
There was a problem hiding this comment.
We should probably specify what happens if any signature is invalid. Does entire op fail, or does mint return only the valid ones? What happens if more/fewer sigs are provided than pubkeys?
There was a problem hiding this comment.
I think we should match the plan for batched minting where if any are invalid the whole op fails.
There was a problem hiding this comment.
Agree. It lowers the abuse surface too, because a mint can reject at first invalid signature (or on mismatch key/sig count), rather than continue processing.
There was a problem hiding this comment.
I added a suggestion to the request section above, but it could be moved to response section if preferred.
| - `pubkeys` is an array of hex-encoded compressed secp256k1 NUT-20 public keys (33 bytes each) | ||
| - `pubkey_signatures` is an array of hex-encoded Schnorr signatures on `pubkeys` in the same order (64 bytes each) | ||
|
|
||
| The wallet **MUST** provide a valid signature in `pubkey_signatures` for each public key in `pubkeys` with the corresponding private key in the same order as the `pubkeys` array. The message to sign is the byte representation of the public key. |
There was a problem hiding this comment.
| The wallet **MUST** provide a valid signature in `pubkey_signatures` for each public key in `pubkeys` with the corresponding private key in the same order as the `pubkeys` array. The message to sign is the byte representation of the public key. | |
| The wallet **MUST** provide a valid signature in `pubkey_signatures` for each public key in `pubkeys` with the corresponding private key in the same order as the `pubkeys` array. The message to sign is the byte representation of the public key. | |
| ### Signature Validation Failure | |
| If there is a mismatch between signature and pubkey counts, or **any signature is invalid**, the mint MUST reject the request and return an error. |
Co-authored-by: Rob Woodgate <robwoodgate@users.noreply.github.com>
Co-authored-by: Rob Woodgate <robwoodgate@users.noreply.github.com>
| @@ -0,0 +1,60 @@ | |||
| # NUT-29: Mint Quote Lookup by Public Key | |||
There was a problem hiding this comment.
This needs a new NUT number, NUT-29 is already defined in NUT-29: Batched Minting
There was a problem hiding this comment.
Generally we us XX and just define before merge
|
|
||
| ```json | ||
| { | ||
| "29": { |
There was a problem hiding this comment.
This needs a new NUT number, NUT-29 is already defined in NUT-29: Batched Minting
Same thing here
| - `pubkeys` is an array of hex-encoded compressed secp256k1 NUT-20 public keys (33 bytes each) | ||
| - `pubkey_signatures` is an array of hex-encoded Schnorr signatures on `pubkeys` in the same order (64 bytes each) | ||
|
|
||
| The wallet **MUST** provide a valid signature in `pubkey_signatures` for each public key in `pubkeys` with the corresponding private key in the same order as the `pubkeys` array. The message to sign is the byte representation of the public key. |
There was a problem hiding this comment.
A static schnorr signature allows replay attacks: if I observe a signature i can use it to query the status of a quote again and again.
This comment was marked as resolved.
This comment was marked as resolved.
Sorry, something went wrong.
|
I've opened a PR with the updated signature logic and test vectors here: #363 |
I support @a1denvalu3 's approach in #363 - using a timestamp also allows a mint to prevent reuse of the signature after xx minutes too. It would be even better with a domain prefix, in case a similar scheme is used later on elsewhere: But with a timestamp max age specified, the reuse window would be minimal in any case. |
|
Thanks for opening this — it's great to see this direction being taken seriously. I'm building an ESP32-based captive portal (TollGate) that provides WiFi access in exchange for ecash payments. My use case: a mining proxy on the ESP32 connects to a hashpool translator via SV1 stratum. The translator mints ehash tokens for the miner's locking pubkey and currently pushes them downstream via a custom This NUT ("Get quotes by pubkeys") would let me eliminate the translator middleman — the ESP32 could directly query the mint for quotes attributed to its pubkey, receive tokens without the push notification hack. This is especially important for resource-constrained devices where running a full translator is impractical. The domain-separated signature scheme in #363 (timestamp + mint pubkey) looks solid. I'm really looking forward to using this functionality — happy to test with my ESP32 implementation once the spec stabilizes. |
8 participants
supersedes #329
Get NUT-20 quotes by
pubkeys. Requires signatures to prove possession of the corresponding private keys.