[Wallet] BIP32 deterministic key derivation (towards mint-assisted backups)

[callebtc]

Summary

Generate random values in the wallet deterministically in order to enable mint-assisted backups.

Description

In their current implementation, Cashu wallets generate random secret's and blinding_factor's to be signed by a mint. Using a deterministic derivation scheme like BIP32 could in principle allow a wallet to restore these quantities from a single seed phrase.

This has no immediate benefits per se but it enables something that, afaik, is an unsolved problem with ecash systems so far, namely backups. If a wallet could re-generate these random values when restoring a backup, in principle, it could be able to restore the BlindedSignature's with the help of the mint. The mint would simply have to keep a log of all produced BlindedSignature's and re-send them to the wallet that requests a backup restoration.

Initially, this would be a free service, but in case the data burden ever gets too large, the mint could ask for a small fee for this service. For closed systems, the benefits seem to far greater than the costs.

[dpc]

Hi. For reference: I've implement this for Fedimint and it's documented in https://github.com/fedimint/fedimint/blob/3f746db89326bc2ec0872c5434d397e7e6d566d0/docs/backup_and_recovery.md

For anyone that will be working on this: I'd be happy to chat, exchange ideas and I hope to get a second pair of eyes on the whole scheme this way.

[callebtc]

Sorry for missing this @dpc. Yes, very interesting! So nice to see that we came to the same solution independently, that tells me that this is a good path.

I've teased a PoC here: https://twitter.com/callebtc/status/1620186555993456641

It seems to work. My current state (haven't worked much on it the last few weeks) is in the deterministic_secrets branch. I will follow up on this for sure.

[callebtc]

Fixed in #131