> For the complete documentation index, see [llms.txt](https://nocturne-xyz.gitbook.io/nocturne/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://nocturne-xyz.gitbook.io/nocturne/protocol-details/keys-and-key-derivation.md).

# Keys & Key Derivation

### Key Derivation

The user's [spending key](/nocturne/protocol-concepts/keys-and-stealth-addresses.md), which we will refer to as $$\text{sk}$$, is a uniformly-sampled 32-byte string.

> In Nocturne's MetaMask Snap, we derive the $$\text{sk}$$ using the `snap_getBip44Entropy` method at derivation path `m / 44' / 6789'`.&#x20;

Let $$G$$denote the generator of Baby Jubjub's prime-order subgroup.  The user's spending public key, which we will refer to as $$\text{PK}$$, is an element of Baby Jubjub defined as $$\text{PK} = \text{SHA512}(\text{sk})\[0:32] \times G$$ ($$\[0:32]$$means "0th through 32nd byte"). This is only used to verify signatures in-circuit. It never appears on-chain or leaves the client.

> What we refer to as the "generator" is often called the "base point" in order to differentiate between generator of Baby Jubjub's curve group and the generator of Baby Jubjub's prime-order subgroup. Since all operations are performed in the prime-order subgroup, we're ignoring this distinction and using the word "generator" to refer to the generator of the prime-order subgroup.

The user's [viewing key](/nocturne/protocol-concepts/keys-and-stealth-addresses.md) is an element of $$\mathbb{F}\_r$$ defined as $$vk = H(\text{PK.X}\ ||\ \text{PK.Y}\ ||\ \text{vkNonce})$$, where $$\text{PK.X}, \text{PK.Y} \in \mathbb{F}\_p$$are the x and y coordinates of $$\text{PK}$$ respectively, $$\text{vkNonce} \in \mathbb{F}\_p$$, and $$\text{vkNonce}$$ must be chosen such that the output of the hash is an element of $$\mathbb{F}\_r$$.

That last provision is needed because $$H$$ returns an element of $$\mathbb{F}\_p$$, but we need an element of $$\mathbb{F}\_r$$. A reduction modulo $$r$$ would bias the key generation, and using Poseidon over $$\mathbb{F}\_r$$ would be prohibitively expensive in-circuit. But this approach suffers from neither issue - during key generation, we can increment `vkNonce` and try again if the output of the hash is not an element of $$\mathbb{F}\_r$$.&#x20;

> In theory, rejection sampling like this comes small performance cost. \~91% of the possible $$\text{vkNonce} > r$$ , so we expect that, on average, it will take 10-11 tries to find a "good" nonce. In practice, the cost is negligible - 11 attempts takes \~30ms with a very naive implementation.


---

# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.

## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter:

```
GET https://nocturne-xyz.gitbook.io/nocturne/protocol-details/keys-and-key-derivation.md?ask=<question>&goal=<endgoal>
```

`ask` is the immediate question: it should be specific, self-contained, and written in natural language.
`goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal.

The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.
