Shield Key & View Key Derivation

Papillae uses deterministic key derivation to generate all necessary keys from a single source:

Key Hierarchy:

Master Wallet Signature
         ↓
    Master Seed
         ↓
    ┌────┴────┐
    ↓         ↓
Spending   Viewing
  Seed      Seed
    ↓         ↓
    ↓    ┌────┴────┐
    ↓    ↓         ↓
    ↓  View    View
    ↓  Private Public
    ↓   Key     Key
    ↓
Spending
 Private
   Key
    ↓
Spending
 Public
   Key
    ↓
 Stealth
 Address

Derivation Process:

Step 1: Master Seed Generation

// User signs a deterministic message with their walletconst message = "Papillae Privacy Protocol - Master Key Derivation";const signature = await wallet.signMessage(message);// Use signature as entropy for master seedconst masterSeed = keccak256(signature);

Step 2: Spending Key Derivation

// Derive spending seedconst spendingSeed = keccak256(
  masterSeed + "spending" + userAddress
);// Generate spending private key (scalar)const spendingPrivateKey = spendingSeed mod CURVE_ORDER;// Generate spending public key (point)const spendingPublicKey = G * spendingPrivateKey;// where G is the generator point on BN254 curve

Step 3: Viewing Key Derivation

// Derive viewing seed (separate branch)const viewingSeed = keccak256(
  masterSeed + "viewing" + userAddress
);// Generate viewing private keyconst viewingPrivateKey = viewingSeed mod CURVE_ORDER;// Generate viewing public keyconst viewingPublicKey = G * viewingPrivateKey;

Step 4: Stealth Address Derivation

// Combine both public keys to derive stealth addressconst stealthAddress = keccak256(
  spendingPublicKey + viewingPublicKey
).slice(0, 20); // Take first 20 bytes// Format as Ethereum addressconst formattedAddress = "0x" + stealthAddress.toString('hex');

Key Properties:

Deterministic: Same master wallet always generates same keys
Non-custodial: Keys never leave user’s device
Recoverable: Can regenerate all keys from master wallet signature
Hierarchical: Follows BIP-32 style derivation
Independent: Spending and viewing keys are cryptographically separate

Security Considerations:

Master wallet signature should be generated in secure environment
Private keys stored encrypted in browser’s IndexedDB
Spending key required for transactions (hot storage)
Viewing key can be safely shared (read-only access)
Lost master wallet = lost access (implement backup mechanisms)
Stealth address computationally unlinked to master wallet

Key Storage:

// Encrypted storage format{
  encryptedSpendingKey: encrypt(spendingPrivateKey, userPassword),  encryptedViewingKey: encrypt(viewingPrivateKey, userPassword),  spendingPublicKey: spendingPublicKey, // Public, safe to store  viewingPublicKey: viewingPublicKey,   // Public, safe to store  stealthAddress: stealthAddress,       // Public, safe to store  derivationPath: "m/papillae/0",       // For future HD wallet support  createdAt: timestamp
}

PreviousToken Shielding and Unshielding NextPrivate Deposit

Last updated 2 months ago