• The Key Path, and Why we needed it dead?
• NUMS: a key no one can sign for
• Why this is more than a destroyed key?
• Why it scales Bitcoin-backed dollar credit?

Last tuesday we covered the Unilateral Exit, the tapscript leaf that lets a borrower recover their bitcoin alone, after a timelock, with no permission from surge. This one closes the loop on the other side of the same architecture: the NUMS key, which is how we shut the back door that would otherwise make exit beside the point.

§The Key Path, and Why we needed it dead?

Every taproot output (BIP341) commits to two things at once, a single schnorr key called the key path, and a merkle tree of tapscript leaves (BIP342). The intent is that parties cooperate in the common case and spend via the key path with one signature, indistinguishable from any other on-chain spend. When they disagree, default, or vanish, the script tree carries a fallback they committed to up front. That dual structure is the design. Almost nobody builds on the full thing. Surge does.

But the key path is an unconditional spend. Whoever can sign for the internal key moves the coins, full stop. No leaf to reveal, no commitment to check. A backdoor, useful when both parties hold a share, dangerous when they don’t. For a credit vault that default is exactly wrong. The script tree carries repayment, liquidation, and the exit path we walked through last week. A usable key path would mean none of those conditions matter, collateral could move without satisfying any of them. Exit is only meaningful if there’s no other way to move the coins.

So we needed the key path to exist (taproot requires it) and to be unusable.

§NUMS: a key no one can sign for

Nums means “nothing up my sleeve”, a value derived transparently from a fixed string so anyone can recompute it and confirm it wasn’t chosen for any hidden reason. The point isn’t that we don’t know the private key. It’s that the construction leaves no room for anyone to have chosen the point adversarially.

Two properties make NUMS work, and they get conflated.

First, the constructor can’t cheat. If we were free to pick any point P on the curve, we could quietly pick P = k·G for some k we kept, a backdoor in plain sight. Deriving P from sha256(“SURGE-NUMS”) takes that away. The hash output is what it is; we don’t choose it. That’s what sha-256 contributes: it constrains us.

Second, no one can spend through the resulting key. Given P = lift_x(sha256(“SURGE-NUMS”)), recovering k where k·G = P means solving discrete log on secp256k1, the same problem that protects every bitcoin private key in existence. Hard for any point on the curve, not because of how P was generated, but because of the curve itself. Nums doesn’t make the point unspendable. The curve does. What nums guarantees is that the constructor didn’t sneak in a point they already had the discrete log for.

Sha-256 stops us cheating. Discrete log hardness stops anyone spending.

BIP341 already specifies a canonical such point:

H = lift_x(0x50929b74c1a04954b78b4b6035e97a5e078a5a0f28ec96d547bfee9ace803ac0).

It works. We wanted a surge-specific commitment, a string that names what it is and who deployed it:

nums_x = sha256("SURGE-NUMS") = 0x6a1bac977b8af761b330d1473dba1e5cfc75b3256a1ae900b78a369e175423f2

That hash is the x-only internal key on every surge vault. One line of code in any language. The string is the seed. The point is what it is.

§Why this is more than a destroyed key?

You could imagine a vault where the internal key was generated normally and the private key destroyed. Feels similar. Isn’t equivalent. A destroyed key was once a real key. You have to trust the ceremony, no backup, no compromised RNG, no colluding participants. The security is operational. Depends on humans you didn’t watch.

NUMS has no ceremony. Nothing was generated. The construction is a public hash of a public string, and the security reduces to discrete log, the same assumption every bitcoin user already trusts.

That’s the difference between we won’t move your coins through the key path and we can’t, and you can verify it. First is a promise that needs a company to keep existing. Second is a property of the script.

§Why it scales Bitcoin-backed dollar credit?

Nums and Unilateral Exit are two ends of the same architecture. Exit guarantees the borrower can always leave. NUMS guarantees no one can leave through any other door. Together they make every surge vault structurally identical, same taproot output, same three tapscript leaves, same nums commitment.

No per-vault ceremony, no per-borrower setup, no quietly evolving custody policy. A borrower opening their first vault verifies the same construction as one opening their thousandth: recompute sha256(“SURGE-NUMS”), confirm it matches, read the leaves, sign.

The credit book grows. The thing you have to trust does not.

Don’t trust. Verify. 🟧