I am investigating the possibility of generating a public key for every possible token amount (sats) up to a practical limit. That means every unique token amount would be issued under a corresponding private key, have its own public key and signature. To test, I mocked up this function (taken from nutshell core.cryto.keys)
def derive_key_for_amount(mnemonic: str, derivation_path: str, amount: int):
"""
Deterministic derivation of a key for a given amount in sats.
"""
bip32 = BIP32.from_seed(mnemonic.encode())
amount_str = f"/{amount}'"
return {amount: PrivateKey(
bip32.get_privkey_from_path(derivation_path + amount_str),
raw=True,
)}
The function is simple - it just tacks on the amount as part of the derivation path from the private key that comes from the path.
I tested this function and it works for the amounts in the range of 1 sat to 21e8 sats (or 2.1 BTC) - before it begins to overflow. That means it is possible to derive a unique private key/public key for each token satosihi value from 1 to 2.1BTC.
Where this is beneficial, using this scheme, each token is the effectively same length: (amount, proof, signature), where amount is anything in the range above and the signature are derived and generated as above. The token can be one single proof, versus an array of proof adding up to a required amount
There would also a lesser need to find a summand of proofs (2^n) that add up to a required amount - instead you find a proof or a few proofs greater than the amount required, and swap for a proof for the amount difference.
Anyway, this is a preliminary investigation. If there are showstoppers that I haven't considered, please let me know.
In closing, my primary motivation is to have a Cashu token that is as small and consistent size as possible, as I see there is a huge potential for these tokens to be used in constrained devices such a network routers.
I am investigating the possibility of generating a public key for every possible token amount (sats) up to a practical limit. That means every unique token amount would be issued under a corresponding private key, have its own public key and signature. To test, I mocked up this function (taken from nutshell core.cryto.keys)
The function is simple - it just tacks on the amount as part of the derivation path from the private key that comes from the path.
I tested this function and it works for the amounts in the range of 1 sat to 21e8 sats (or 2.1 BTC) - before it begins to overflow. That means it is possible to derive a unique private key/public key for each token satosihi value from 1 to 2.1BTC.
Where this is beneficial, using this scheme, each token is the effectively same length: (amount, proof, signature), where amount is anything in the range above and the signature are derived and generated as above. The token can be one single proof, versus an array of proof adding up to a required amount
There would also a lesser need to find a summand of proofs (2^n) that add up to a required amount - instead you find a proof or a few proofs greater than the amount required, and swap for a proof for the amount difference.
Anyway, this is a preliminary investigation. If there are showstoppers that I haven't considered, please let me know.
In closing, my primary motivation is to have a Cashu token that is as small and consistent size as possible, as I see there is a huge potential for these tokens to be used in constrained devices such a network routers.