Spending Keys

A BIP39 24-word seed phrase can be used to derive one or more spend authorities. From this mnemonic seed phrase, spend seeds can be derived using PBKDF2 with:

HMAC-SHA512 as the PRF and an iteration count of 2048 (following BIP39)
the seed phrase used as the password
mnemonic concatenated with an index used as the salt, i.e. the default spend authority is derived using the salt mnemonic0

The root key material for a particular spend authority is the 32-byte seed derived as above from the seed phrase. The seed value is used to derive

$ask \in F_{r}$ , the spend authorization key, and
$nk \in F_{q}$ , the nullifier key,

as follows. Define prf_expand(label, key, input) as BLAKE2b-512 with personalization label, key key, and input input. Define from_le_bytes(bytes) as the function that interprets its input bytes as an integer in little-endian order. Then

ask = from_le_bytes(prf_expand("Penumbra_ExpndSd", seed, 0)) mod r
nk  = from_le_bytes(prf_expand("Penumbra_ExpndSd", seed, 0)) mod q

The spending key consists of seed and ask. When using a hardware wallet or similar custody mechanism, the spending key remains on the device.

The spend authorization key $ask$ is used as a decaf377-rdsa signing key.¹ The corresponding verification key is the spend verification key $ak = [ask] B$ . The spend verification key $ak$ and the nullifier key $nk$ are used to create the full viewing key described in the next section.

Note that it is technically possible for the derived $a s k$ or $n s k$ to be $0$ , but this happens with probability approximately $2^{- 252}$ , so we ignore this case, as, borrowing phrasing from Adam Langley, it happens significantly less often than malfunctions in the CPU instructions we’d use to check it.

The Penumbra Protocol

Spending Keys