Understanding Salvium's CryptoNote and CARROT addressing schemes
1 Two Addressing Schemes
Salvium supports two address formats: CryptoNote (Legacy) and CARROT.
Both use Ed25519 elliptic curve cryptography but derive keys differently - CryptoNote uses Keccak-256 hashing while CARROT uses Blake2b.
CryptoNote (Legacy) - SaLv...
Original CryptoNote addressing. Simple key derivation:
Kspend = ks × G
Kview = kv × G
Uses single generator point G. View key derived from spend key hash.
CARROT - SC1...
New FCMP++-compatible addressing. Uses two generators:
Ks = kgi × G + kps × T
Kv = kvi × G
Uses generators G and T. Multiple derived keys from master secret.
2 Hash Functions
Salvium uses two hash functions: Keccak-256 for CryptoNote operations and
Blake2b for CARROT key derivation. Both produce deterministic, one-way outputs.
Hash:
Hash:
3 Mnemonic Seed Encoding
Your wallet's master secret is a 256-bit (32-byte) random number. To make it human-readable and
easier to back up, it's encoded as a 25-word mnemonic phrase using a 1626-word dictionary.
# Encoding: 256 bits → 25 words# Each group of 4 bytes (32 bits) encodes to 3 words:seed[0..3] → w1 + w2×1626 + w3×1626² → words 1-3
seed[4..7] → w4 + w5×1626 + w6×1626² → words 4-6
seed[8..11] → w7 + w8×1626 + w9×1626² → words 7-9
...
seed[28..31] → w22 + w23×1626 + w24×1626² → words 22-24
# Word 25 is a checksum:checksum = CRC32(first 3 letters of words 1-24) mod 1626
Why 1626 words? To encode binary data as words, each word represents an index (0-1625).
Three words together can represent 1626³ ≈ 4.3 billion combinations - just enough to cover 2³² (4.29 billion),
which is 32 bits (4 bytes). So every 4 bytes of your seed encodes to exactly 3 words.
A 256-bit seed = 32 bytes = 8 groups × 3 words = 24 data words + 1 checksum = 25 total.
This gives 2²⁵⁶ possible seeds - a number with 77 digits, far more than atoms in the observable universe.
Enter 25-word mnemonic (or generate random):
(enter mnemonic above)
Word indices (first 6):
(decode mnemonic to see)
Decoded seed (hex):
(decode mnemonic to see)
4 Key Derivation Hierarchy
CryptoNote uses a simple two-key system. The spend secret key is derived from the mnemonic seed,
and the view secret key is derived by hashing the spend key.
CARROT uses a hierarchical key system with multiple derived keys for different purposes.
The master secret spawns view-balance secrets, which in turn derive operational keys.
Address Structure: [prefix][K_s][K_v][checksum] → Base58 → SC1... Generator T: Hash-derived second generator for FCMP++ compatibility
5 Interactive Key Derivation
Seed / Master Secret (256 bits hex):
(enter seed above or generate random)
CryptoNote Key Derivation
k_spend = sc_reduce(seed):
↓ × G
K_spend (public):
k_view = Keccak256(k_spend) mod L:
↓ × G
K_view (public):
Legacy Address (SaLv...):
CARROT Key Derivation
s_master (= seed):
k_ps = H_n("prove-spend", s_m):
s_vb = H_32("view-balance", s_m):
k_gi = H_n("generate-image", s_vb):
k_vi = H_n("incoming-view", s_vb):
K_s = k_gi × G + k_ps × T (spend pubkey):
K_v = k_vi × G (address view key):
↳ This goes IN the address
k_vi × K_s (account view key):
↳ Wallet shows this as "Carrot public"
CARROT Address (SC1...):
Two View Keys - By Design!
Address View Key (k_vi × G): Unique to each address. This is what's encoded in the address string.
Account View Key (k_vi × K_s): Shown by wallet's viewkey command as "Carrot public".
This is the master key used to derive ALL subaddress view keys: K^j_v = k_subscal × (k_vi × K_s)
This elegant design means one account key works for unlimited addresses.
6 Address Structure
Both address formats encode: [network prefix][spend pubkey][view pubkey][checksum].
The prefix determines network (mainnet/testnet) and type (standard/integrated/subaddress).
Address bytes visualization (abbreviated):
Prefix (varint)
Spend Key (32 bytes)
View Key (32 bytes)
Checksum (4 bytes)
Base58 Encoding: The raw bytes are encoded using CryptoNote Base58,
which processes 8-byte blocks into 11 characters using this alphabet: 123456789ABCDEFGHJKLMNPQRSTUVWXYZabcdefghijkmnopqrstuvwxyz
7 Address Decoder
Decode any Salvium address to extract its components. Supports all 6 address types: