Thread

1. Nostr signer APIs don't have a `signBitcoinTransaction` method. We can fix that. 2. Yes (same as Nostr) 3. Yes (same as Nostr)

For optimizing the privacy for p. 2 & 3, can't we use the BIP85 Child Key (nostr signing key) as a new key and derive addresses from it?

Cool. How tricky is adding the silent payments vibe-coding to this, any specific challenges ?

Indeed. Next we can fix Nostr with HD wallets. If your nsec gets compromised you can just generate another and cryptographically prove that they're linked.

I though everyone was doing it. My nostr key is derived from my bip39 master key.

Most clients don't. It would fix a lot if they did, though. You'd still have to guard the root key with your life. If you lost a child key you could potentially recover by emitting a "move" event from the root key.

The clients should remain dumb to this process to avoid a leak. The users should be deriving the nostr key from their master key that they have thoroughly backed up in steel plates. You can recover the child key as long as you have the master key back up and the index number attached to the child key. This is primarily a security feature that users must warp their heads around. It has to be done in a secure environment, on a laptop that has never been online and that will never be online, with WiFi/BT and hard drive stripped and by using tails from a USB stick. Clients can't do this in a secure manner.

Probably dedicated signer apps like Amber should do this. I believe Alby already does it.

That was my question: if we can use the child key to derive addresses from it through signer apps, our initial master key would t he exposed even to these apps. I'm not sure whether we can use BIP85 32 bytes hex to derive addresses.

Yes

how did you import the NSEC into bluewallet?

I sent it from Cashapp and received it on the new Nostr Wallet for my npub

Over Lightning? You connected in the app option

I dont know what you are saying 😭 But no, not over lightning. Over real bitcoin.

I need to investigate how to do that

Is there any iOS mobile wallet that Supports this too?

It's a web app so you can just open the link on Safari I think!

vibing...

The input text box is hidden behind the keyboard so I can't see what I'm typing. Firefox on graphene. Cashu routstr is perfect. I started vibing in 30 seconds. It stops vibing when my phone goes to sleep so that severely limits usefulness.

BTW silent payment address derived from nsec is the best solution. You prolly need a hosted trusted index service to make mobile UX not terrible.

Zaps are public anyway. No downside really. Use a different wallet for private payments.

You can tip Nostr users on Amethyst without broadcasting publically to Nostr relays iirc (strictly through Lightning Network) Would be cool to have that option

You'd have to publish your bitcoin address(es) in your kind 0. This solution doesn't even require that. No more bullying people to "add an address to your profile so I can zap you". You don't even need to connect to a relay.

Can it be adapted to generate a silent payment address? With SilentPay, you can eliminate the problem of address reuse.

Good idea

I would pay a bounty for this feature. Cake Wallet already had a full version of this feature, even though it was in the beta phase. Nostr needs this feature by default. On-chain needs to be used more and have more social use cases.

Make sure Luke doesn't mark it a a spam 😂

Yes there are many more now,

Silent Payments Wallet Support

Keep up to date with wallet support for Silent Payments across the Bitcoin ecosystem

I want a solution that is ready to use straight away on nostr and with it, all npubs can receive a private on-chain transaction on their profiles. Only the sender knows your public address.

U can just build stuff 🍻

Yes

Payments are public on nostr so address reuse doesn’t seem to be too much of a problem. Could silent payments play a role in the future?

So, lightning payments are public normally. That means we can see who zapped who. We can't, however, see what the receiver of that zap then did with it later. With this, we'd be able to. Not trying to shit on it or anything, just understand the limitations. Seems like it'd be best to at LEAST submarine swap, lightning swap, or coinjoin before spending.

The generic signing method in Alby is a major security vulnerability. People don't know what they're signing or how much. We need a dedicated signBitcoinTransaction method.

I apologize for my ignorance, but what is wrong with that?

>It's not possible to sign an arbitrary message with any sort of signature scheme by Trezor. > >It would be really stupid to allow this: if the message is arbitrary, you can stuff in, say, a valid Bitcoin transaction. Then it's a matter of crafting a clever malware, telling the user: "Security check: please confirm the following characters on your Trezor screen to validate your wallet", and stealing their money. > >The SignMessage APIs look like they accept an arbitrary message, but they don't sign it: the data that is actually signed is "Bitcoin Signed Message:\n(11 bytes)hello world" or something along these lines. > >Even if that is good enough for you, this feature currently does not support Schnorr signatures :( because there hasn't yet emerged a standard for taproot message signing. Source: https://www.reddit.com/r/TREZOR/comments/vrftwn/comment/iexubo7/

that basically says the user is a security vulnerability or we have a too complicated system where users need to sign events that they don't understand? :) (at the same time users complain they get asked too much) and any signing prompt is imo better than handing over the private key. generally the user needs a bit of trust in the webapp. otherwise signing something is never a good idea imo. I think there is a signPsbt function.

do you think there is a difference between a hardware wallet and a web wallet associated to a nostr key? for me it’s kinda confusing to apply something from hardware wallet to a web wallet that works with a nostr key and also prompts users for the actual private key

Thank you for the thoughtful response.

funds dont show. sorry