{"slug": "nostr-silent-wallet", "title": "Nostr Silent Wallet", "summary": "The article introduces the **Nostr Silent Wallet (NSW)**, a proposal that allows a static, reusable Silent Payment address to be deterministically derived from a Nostr public key (npub). This creates a wallet model where any Nostr identity inherently has a corresponding payment address that is publicly verifiable, anti-spoofing, and privately detectable only by the key holder. The NSW differs from standard wallet implementations by linking keys to a Nostr identity rather than private seed material, offering privacy benefits like plausible deniability and making on-chain funding relationships difficult to trace.", "body_md": "Skip to content\nThe BIP-352 Silent Payments proposal creates an opportunity to define a distinct Nostr Silent Wallet (NSW) for a Nostr identity.\nThis work arose from related efforts to derive a Taproot (p2tr\n) address from a Nostr public key and to understand how Nostr identity material could map deterministically into Bitcoin wallet semantics. That earlier exploration made it clear that the same identity-linked approach could be extended beyond a single visible Taproot address into a richer Silent Payments receive model.\nOne of its most important properties is that Silent Payments can provide a static payment address: a stable Silent Payments receive identity that can be reused by senders without creating a reusable on-chain receive address.\nUnder the Nostr Silent Wallet derivation rule, a Silent Payment address can be deterministically derived from a known npub\n. This means every Nostr identity can be treated as having a corresponding Nostr Silent Wallet (NSW), even if the identity owner has never explicitly published or acknowledged it.\nThis creates several important properties:\n- Independent verifiability: anyone who knows the\nnpub\nand the Nostr Silent Wallet derivation rule can derive the expected Silent Payment address and verify it independently. - Anti-spoofing assurance: a sender does not need to trust a pasted or manually shared address. The correct Silent Payment address is fixed by the recipient identity and can be derived locally.\n- Plausible deniability: because anyone can derive the Silent Payment address from the\nnpub\n, the existence of that address does not prove thensec\nholder intentionally created, published, or even knew about it. - Private receipt detection: while the Silent Payment address is publicly derivable, only the holder of the matching private scan key can detect which on-chain outputs belong to the Nostr Silent Wallet.\n- Private fund control: only the holder of the matching private spend path can sweep or spend the detected outputs.\nThis protects both the sender and the recipient.\n- The sender is protected because they can derive the correct receive address themselves and avoid spoofed payment instructions.\n- The recipient is protected because incoming payments do not expose a reusable on-chain receive address, and detected outputs can be swept to unrelated addresses.\nAs a result, the funding relationship between donor and recipient is difficult to establish from public chain data alone.\nThe key architectural insight is that Nostr Silent Wallet differs from a wallet-style Silent Payments implementation in how the receiver's base Silent Payments keys are derived.\n- The Nostr Silent Wallet is derived from Nostr identity using deterministic additive tweaks.\n- In a wallet-style implementation, the Silent Payments keys are usually derived from private seed material through a BIP-32 tree.\nThe resulting sp1...\naddress is still the same kind of Silent Payments object in both cases, so a sender paying to it may see no practical difference. The difference shows up on the receiver side: scanning, recovery, and wallet interoperability depend on whether the wallet can reconstruct the matching private scan and spend keys from the same derivation contract.\nFor practical purposes, the Nostr Silent Wallet should be treated as its own distinct wallet model:\n- it is identity-linked\n- it is privately discoverable\n- it is publicly verifiable\n- it is difficult to attribute to intentional publication\n- and it preserves the core on-chain privacy benefits of Silent Payments\nThis model has especially important implications in high-risk or adversarial environments where counterparties may be required to:\n- send payment to a known identity\n- later confirm receipt\n- produce signed confirmations or acknowledgements\nIn those environments, ordinary payment coordination often creates trust gaps that must be managed by:\n- intermediaries\n- compliance staff\n- auditors\n- counterparties maintaining off-chain address books and attribution records\nThe Nostr Silent Wallet (NSW) approach reduces those gaps significantly.\nThe sender can derive the correct Silent Payment address directly from the recipient identity, so there is no need to trust:\n- a copied payment address\n- an address provided by a third party\n- an address embedded in a message that could have been altered or spoofed\nThat means the sender has strong assurance they paid the correct identity without relying on a separate trusted address-distribution channel.\nAt the same time, the recipient can later confirm receipt using private scan knowledge and, if needed, produce signed statements about receipt or sweeping without the blockchain itself exposing a reusable public funding relationship.\nThis changes the operational trust model in an important way:\n- address authenticity can be derived independently\n- receipt detection can be performed privately by the intended recipient\n- receipt confirmation can be made explicitly and deliberately, rather than inferred from public chain data\nAs a result, many of the trust gaps that would otherwise need to be:\n- maintained by third parties\n- documented through shared address registries\n- or risk-managed through manual verification procedures\nare reduced or eliminated by the cryptographic structure itself.\nIn short, this approach lets counterparties:\n- derive the correct payment destination independently\n- avoid spoofed payment instructions\n- confirm receipt deliberately and privately\n- and do so without exposing a durable public linkage between sender and recipient on-chain\nThis model is also important for protecting vulnerable donors who might otherwise reveal themselves unintentionally through ordinary Bitcoin payment coordination.\nA useful real-world example is the 2022 Canadian trucker protest funding environment. During that period:\n- donor information associated with crowdfunding support for the convoy was leaked and reported on publicly, exposing names, email addresses, locations, and other identifying details in many cases; see ABC News and The Guardian\n- crypto-related accounts and addresses associated with convoy funding were identified and targeted by authorities and intermediaries; see Reuters via Investing.com and reporting on address blacklisting such as CryptoAdventure\nThat episode shows how vulnerable both donors and recipients can become when:\n- payment destinations are publicly reused\n- recipient infrastructure is easy to map\n- donor activity can be linked to known recipient endpoints\n- third parties can identify, freeze, or pressure visible funding paths\nThe Nostr Silent Wallet model helps prevent or sharply reduce that exposure.\nWith the Nostr Silent Wallet model:\n- the sender can derive the correct destination from identity without relying on a publicly circulated payment address\n- the reusable\nsp1...\nreceive identity does not appear on-chain - the actual received outputs are not publicly obvious without the private scan key\n- the recipient can later sweep funds to unrelated addresses, reducing durable public linkage\nThis makes it much harder to:\n- track down vulnerable donors from a known public Bitcoin address reuse pattern\n- map incoming payments to a publicly attributed recipient address\n- establish a clear public funding relationship between a specific donor and recipient from chain data alone\nIn that sense, the Nostr Silent Wallet model protects both sides:\n- the donor is less likely to reveal themselves by paying a publicly watchable recipient address\n- the recipient is less likely to have their funding flows mapped and attributed through visible receive infrastructure\nIt does not eliminate all operational risk, but it removes one of the largest and most common privacy failures in Bitcoin payments: the durable public linkage created by visible recipient addresses and easily traced payment coordination channels.\nThe Nostr Silent Wallet (NSW) model shows that Bitcoin payments do not have to force a tradeoff between identity assurance and financial privacy. By making the correct receive identity independently derivable from Nostr while keeping on-chain receipt discovery and fund control private, this approach creates a stronger, safer, and more trustworthy payment model for both senders and recipients. It reduces spoofing risk, narrows operational trust gaps, protects vulnerable counterparties, and opens the door to a form of Bitcoin coordination that is more resilient in ordinary use and far more defensible in adversarial environments.\nThis also offers an important practical privacy advantage relative to layered Bitcoin privacy solutions such as Lightning and Cashu. Those systems can provide strong privacy properties, but they introduce additional infrastructure and additional trust or operational dependencies, including node operators, routing assumptions, channel management, or mint operators. The Nostr Silent Wallet (NSW) model achieves a comparable improvement in payment privacy at the address-coordination layer without requiring the user to rely on a Lightning node, a federated or custodial mint, or other specialized intermediary infrastructure. The result is a simpler privacy model built directly on Bitcoin and Nostr identity semantics, with fewer moving parts and fewer third-party trust assumptions.\nThe NSW approach leverages everything from BIP-352 with core differences\nBIP-352:\n- starts from already-existing Silent Payments private keys (usually generated by a wallet hardware or app)\n- does not prescribe where these keys came from\nNSW:\n- derives Silent Payments keys deterministically from the publicly known Nostr identity key (\nnpub\n)\nSo the BIP-352 base derivation is essentially:\n- “pick or derive private keys, then compute pubkeys”\nNSW is simply adding an option to the BIP-352 base derivation is:\n- “start from the publicly known Nostr key d/P, derive additive tweaks, and turn that into scan/spend keys”\nSo in a nutshell, the core difference: Instead of starting from an already-existing Silent Payments wallet keyset, NSW derives the receiver’s base Silent Payments keys from the publicly known Nostr identity (npub\n).\nEverything else is exactly the same. There is no difference in how the Silent Payments addresses are used ( Cake Wallet and BlueWallet have been tested) - the only difference is the receiver (i.e., nsec holder\n)needs to know how to recover the funds.\nMath details on the NSW base derivation:\nLet:\nP = dG = Nostr public key\nwhere d\nis the scalar value of the nsec\nDerive deterministic tweaks:\nt_scan = H_tag(\"nostr-sp/scan\", P)\nt_spend = H_tag(\"nostr-sp/spend\", P)\nThen:\nScanPub = P + t_scan G\nSpendPub = P + t_spend G\nthe two public keys are encoded into the address:\nsp1... = bech32m(v0 || ScanPub || SpendPub)\nand privately:\nscan_priv = d + t_scan mod n\nspend_priv = d + t_spend mod n\nAs far as any sending wallet is concerned, the sp1...\naddress is nothing special; it is just another Silent Payments address. However for the receiver, they need to know how to recover against those address using d\n(their nsec\n)\nThe opsec recommendation is to never spend from this wallet to an address outside of your control - always sweep to a fresh address under your control.\nSome might philosophically object to using the nsec\nas a wallet, but NSW gives everyone an attributable Silent Wallet for free but they can ignore and deny knowledge if they wish to.", "url": "https://wpnews.pro/news/nostr-silent-wallet", "canonical_source": "https://gist.github.com/trbouma/77648ebe1005b181b67d1c4b42c7f31d", "published_at": "2026-05-22 12:38:30+00:00", "updated_at": "2026-05-23 03:36:05.486576+00:00", "lang": "en", "topics": ["web3"], "entities": ["Nostr", "Silent Payments", "BIP-352", "Taproot", "Bitcoin"], "alternates": {"html": "https://wpnews.pro/news/nostr-silent-wallet", "markdown": "https://wpnews.pro/news/nostr-silent-wallet.md", "text": "https://wpnews.pro/news/nostr-silent-wallet.txt", "jsonld": "https://wpnews.pro/news/nostr-silent-wallet.jsonld"}}