https://github.com/tea2x/quantum-purse-key-vault
A SPHINCS+ key management module for CKB blockchain
https://github.com/tea2x/quantum-purse-key-vault
Last synced: 5 months ago
JSON representation
A SPHINCS+ key management module for CKB blockchain
- Host: GitHub
- URL: https://github.com/tea2x/quantum-purse-key-vault
- Owner: tea2x
- License: mit
- Created: 2025-04-21T09:14:20.000Z (about 1 year ago)
- Default Branch: main
- Last Pushed: 2026-01-15T06:32:07.000Z (5 months ago)
- Last Synced: 2026-01-15T09:44:48.109Z (5 months ago)
- Language: Rust
- Homepage: https://www.npmjs.com/package/quantum-purse-key-vault
- Size: 194 KB
- Stars: 1
- Watchers: 1
- Forks: 0
- Open Issues: 0
-
Metadata Files:
- Readme: README.md
- License: LICENSE
Awesome Lists containing this project
README
# Quantum Purse key vault
This module provides a secure authentication interface to manage FIPS205 (formerly SPHINCS+) cryptographic keys for CKB blockchain using Rust and WebAssembly.
###### Feature list:
| Feature | Details |
|-----------------------|----------------------|
| **Signature type** | SPHINCS+ |
| **Store model** | Indexed DB |
| **Mnemonic standard** | Custom BIP39 English |
| **Local encryption** | AES256 |
| **Key derivation** | HKDF |
| **Authentication** | Password |
| **Password hashing** | Scrypt |
### Mnemonic backup format
BIP39 is chosen as the mnemonic backup format due to its user-friendliness and quantum resistance.
SPHINCS+ offers 12 parameter sets, grouped by three security parameters: 128-bit, 192-bit, and 256-bit. These require seeds of 48 bytes, 72 bytes, and 96 bytes respectively used across key generation and signing. As BIP39 supports max 32 bytes so this library introduces a custom(combined) BIP39 mnemonic backup format for each security parameter of SPHINCS+ as below:
| SPHINCS+ security parameter | BIP39 entropy level | Word count |
|-------------------------------------|-----------------------|-----------------|
| 128 bit ~ 48 bytes ~ 3*16 bytes | 3*16 bytes | 3*12 = 36 words |
| 192 bit ~ 72 bytes ~ 3*24 bytes | 3*24 bytes | 3*18 = 54 words |
| 256 bit ~ 96 bytes ~ 3*32 bytes | 3*32 bytes | 3*24 = 72 words |
###### For example:
- SHA2-256s will require users to back up 72 words of mnemonic phrase.
- SHAKE-192s will require users to back up 54 words of mnemonic phrase.
- SHA2-128f will require users to back up 36 words of mnemonic phrase.
### Key Derivation Function
From the single master seed, quantum-purse-key-vault can derive many child keys using Key Derivation Function(KDF). Pure Hash-based KDF is the top choice for this project. Although using [BIP32](https://en.bitcoin.it/wiki/BIP_0032) carefully (with only hardened key derivation and never generate ECDSA public keys) can satisfy however the benefits of the tricky usage at this point(2025) is unclear. Thus, a fresh start with HKDF seems better because it's simpler - meaning the implementation will be easier to audit.
###### Key Tree:
```
master_seed
├─ index 0 → sphincs+ key 1
├─ index 1 → sphincs+ key 2
├─ index 2 → sphincs+ key 3
└─ ...
```
###### Derivation Flow:
```
master_seed
│
▼
(seed_part1, seed_part2, seed_part3)
│
├─ HKDF("ckb/quantum-purse/sphincs-plus/", index)
│
▼
(sk_seed, sk_prf, pk_seed)
│
├─ sphincs+_key_gen()
│
▼
(sphincs+ public_key, sphincs+ private_key)
```
### Dependency
- Rust & Cargo
- Wasm-pack
- Npm
### Build
```shell
# run build script
./build.sh
# test
cargo test
```
### Package and publish
```shell
cd dist
npm pack
npm login
npm publish
```
### Usage example
Refer to [QuantumPurse project](https://github.com/tea2x/quantum-purse-web-static.git).