Hey folks,
I've been tinkering with Nostr and Bitcoin lately and got a question. Since both of them run on the same secp256k1 curve, do you think we can take a Nostr public key and turn it into a Bitcoin address?
Here’s what’s on my mind:
Nostr and Bitcoin both use secp256k1, right? So could we just use a Nostr public key directly for a Bitcoin public key and manage everything with the nostr private key (nsec)? Are there any format or encoding quirks I should watch out for?
If it is possible to use the Nostr public key for Bitcoin, how would I convert it into a Bitcoin address? Does the type of address matter? I’m mainly worried about the BTC public key being exposed unless there’s some zero-knowledge way around it.
Has anyone tried this? I would really appreciate any tips or just a nudge in the right direction.
Thanks!
Turning Public keys into Bitcoin address involves hash functions that'll result with specific size which is encoded into an address;
So generally, any input can be turned into a valid address. The issue is you might not be able to spend from it using Nostr public key's private key pair.
I'm not familiar with Nostr so don't count on my words alone.
Anyways, if the private key's size is 256bit, then just encode your private key into WIF (Wallet Import Format) so that it can be imported to almost all Bitcoin wallets.
The wallet will do the job of deriving the bitcoin-compatible public key and address from it.
In that regard, it doesn't matter if your Nostr public key is incompatible as long as your private key is valid.
I doubt it since it's not a good idea to use the same private key on different platforms, it has the same security risk as reusing passwords.
What is nostr, Is that a new garbage coin? Anyways you can use all private/public key pairs in existence as long as your coins are using the same curve parameters, if it's secp256k1, you can use the key pair on any other coin using the same curve.
Only difference is address generation process, for instance, ETH uses uncompressed public keys and a different hash function, Bitcoin uses nowadays compressed public keys with sha256 + rmd160 hash functions to derive the address.
In practice you should do as our friend suggested, import the private key and let the wallet do the rest.
But you can't use the same address formats if they are not compatible, just like you can't use ETH address to send BTC and vice versa. What type of address you want anyways?
Edit, lol don't use any private key generated outside a secure wallet.
This is my doubt. If anyone can derive a Bitcoin wallet directly from a Nostr public key (npub) so that they are natively linked. It would be simpler (and perhaps safer) to post a message on Nostr, publishing and signing with any Bitcoin address, but my question is more theoretical than practical.
Not a shitcoin at all, a public signed comunication protocol:
https://nostr.com/
And you can use too a signing device the same as you use a Hardware Wallet to sign BTC.
I now know it's a decentralized social media like, but to clear a few things up, generally speaking in elliptic curve cryptography all numbers are to be considered a valid private key with 1 exception which is the group order n, in any curve you can pick any random number whether greater than n or smaller, negative or positive, they all are valid private keys.
So, as long as you hold a private key, you can convert that to as many different curve public keys as you want, but it's not safe to carry a funded private key, in your clipboard when online going to different apps, pages etc. And it's not safe to use nostr keys to generate Bitcoin addresses to store large amounts of fund.
If you need more details, here is the address type wallets use nowadays :
I did a few searches and it seems like it's not possible to get a standard Bitcoin address from the "npub" alone.
It appears that Nostr's public key (decoded npub) resembles the "compressed pubKey" of Bitcoin but without the 1byte prefix that identifies if the y coordinate is odd or even.
It's exclusively the x coordinate, so without any information on the y coordinate, you'll have to guess which prefix to use.
Why would anyone need to guess about y coordinates if they already have the private key? Nostr is something entirely different, as it has nothing to do with addresses. OP is also confused about signing messages, he thinks Bitcoin addresses are used to sign a message, while the only thing used to do that is the private key. Though we can encrypt messages with public keys.
So even if you don't know which y coordinates to use, you can access 4 public keys with only 1 private key, first pair of public keys are supposedly +n, then you could subtract the private key from n to access -n pair. In practice, every time we generate 1 private key, we are essentially burning *4 Bitcoin addresses without knowing it.
*= legacy version.
He specifically asked about using the npub (bech32 encoded) directly without mentioning the private key.
So I've explained that it's not possible with it alone.
Plus we already mentioned that it is possible with the private key.
Thanks for the clue.That won't be a problem in order to verify that a a npub nostr match with a BTC Address since you just need to check 2 paths.
Sorry if I didn't express myself well: anyone should be able to verify that a particular nostr npub is the owener of the BTC address.
Thanks to both of you for your comments
I was going to write that you can just place the Nostr private key inside a SHA256 hash function to create a brainwallet of sorts which will give you a Bitcoin address, but then the requirements changed
In that case the private key (if you have it) of the Nostr public key can also create a Bitcoin private key, since they use the same elliptic curve algorithm (secp256k1), but you won't be able to verify an address, because the Schnorr signatures used by Nostr inhibit any sort of public key recovery.
Thanks for the comment. I need to study and understand more. When using a BTC taproot address you also use a Schnorr signature right? And my thought was that in order to do what I ask, the BTC public Key will be public as you can guess it from the nostr pubkey, so you will use a type signature for the nostr protocol, and another for the BTC (always from the same private key).
Yes, Taproot addresses also use Schnorr signatures.
People don't normally exchanging Bitcoin public keys, so you will usually be getting the Nostr public key and using that as a BTC public key for the purposes of hashing an address.
The payloads that Nostr and Taproot sign using Schnorr are entirely different though. Taproot signs a binary transaction, whereas Nostr signs some JSON data.
How does Schnorr algorithm hide the public key, and if it does how would the verifying process go without the public key?
I thought taproot reveals the public key even without having any output transaction. Do you happen to know of any script well implemented and secure which I can use to generate taproot addresses?
Because the signing algorithm takes the public key X and Y, and runs it through a hash function and a XOR to get the multiplicand for the r-value, and then runs the r-value along with some other point and the message through another round of hashing to make the s-value. Since both of these values are hashed, it is impossible to use the conventional equation to retrieve the public key from the signature.
Thanks for the info. Showing off a BTC public key seems like it could be a security issue, kinda like reusing addresses. Plus, I guess people aren't too keen on tying their identity to a BTC address (this isn't Ethereum, right? haha). I think there might be some cool uses for it, though
Hoo boy, a lotta drama on Nostr about this over the last day or so. ETA: But it started on the NIPs GitHub weeks ago, which I wasn't subscribed to.
Midstream, I noticed Taproot/Craproot? enter the chat.
And then ChatGPT & me made a full reference implementation in Python, which I'll excerpt out, below:
ChatGPT forcefully recommended I keep the private key conversion code separate from that proposal (I said I wanted to include it), but here it is, the nsec to WIF (compressed private key format) conversion that always results in Electrum showing the same p2pkh (if compressed private key is imported without prefix) & the same p2wpkh (if compressed private key is imported with prefix p2wpkh:) that were obtained from the production version of the pubkey-conversion-only code block above:
Production version:
Published on Nostr
P.S. This is possible with cryptography, but you should only keep watch on these addresses without making them public knowledge & know how to spend them to 0 - if someone actually sends you BTC after deriving on their own/via some website's tool.
If you want to give out public addresses derived from your nsec, hardened by passphrase salting, see why & how, here.
Don't use nsecs as live bitcoin addresses. Clients probably don't store these as securely as a wallet would safeguard a Bitcoin private key.
E.g. Nostr clients expose window.nostr in Google Chrome and other browsers. And there is already a plethora of credential-stealing malware written for browsers and Windows.
Yeah, there's a few of them that store your Nostr keys in there and let you log into Primal/Snort et al quickly. Both Firefox & Chrome have some I think (in Firefox's case I'm not sure).