BIP340: Make reference impl accept None for aux_rand #1218

pull junderw wants to merge 1 commits into bitcoin:master from junderw:fix/reference-340 changing 1 files +3 −3
  1. junderw commented at 10:48 PM on October 21, 2021: contributor

    Checking the libsecp256k1 implementation, it accepts a null pointer for aux_rand and uses the possibly negated private key alone without XORing with anything in that case.

    This fix brings the implementation in-line with the C implementation.

  2. BIP340: Make reference impl accept None for aux_rand d8405c5821
  3. jonasnick commented at 9:20 AM on October 22, 2021: contributor

    @junderw thanks for your contribution, but I don't really see a reason to have identical APIs in libsecp and the reference implementation. In libsecp this is a convenience feature, but the reference implementation isn't supposed to be used anyway.

  4. junderw commented at 4:11 PM on October 22, 2021: contributor

    I do think there is merit to the reference implementation showing this as Optional[]

    1. BIP340 makes mention of optional alternative methods of generating k, and the security tradeoffs associated.
    2. The most prominent library implementing it thus far decided to make it optional.
    3. People implementing BIP340 will look at the python code and gloss over the alternative methods of k generation. (ie. https://github.com/BitGo/bitcoinjs-lib/pull/12#discussion_r732323271)

    Also, I personally find the libsecp256k1 implementation to be more in line with the BIP340 in these regards, and thus felt that the python reference implementation should reflect that (to help those implementing it down the line. Not so that the reference itself could be used)

    That said, I defer the decision to you. Please let me know if you still want to NACK this, and I'll close (or Kalle can close if he notices first)

    Thanks for your time @jonasnick

  5. kallewoof commented at 2:42 PM on October 23, 2021: member

    Changes seem reasonable to me, so I defer the decision to close to @junderw or @luke-jr.

  6. jonasnick commented at 7:24 PM on October 26, 2021: contributor

    BIP340 makes mention of optional alternative methods of generating k, and the security tradeoffs associated.

    If you want to use an truly alternative nonce function, you can't use the reference implementation's API and then it doesn't matter whether aux_rand is optional.

    Keeping it non-optional helps conveying that aux_rand "is recommended whenever available" as mentioned in the BIP.

  7. junderw commented at 12:38 AM on October 27, 2021: contributor

    Keeping it non-optional helps conveying that aux_rand "is recommended whenever available" as mentioned in the BIP.

    Keeping it non-optional conveys "it is not optional" which contradicts the BIP.

    That being said, I deferred the decision to you and it seems clear that you disagree with this PR, so I will close it as mentioned before.

    Thanks for your time.

  8. junderw closed this on Oct 27, 2021
  9. junderw cross-referenced this on Oct 30, 2021 from issue Add test vectors for BIP 341 SigMsg by giacomocaironi
Contributors
junderwjonasnickkallewoof
Linked (view graph)
#1191 Add test vectors for BIP 341 SigMsg
github-metadata-mirror

This is a metadata mirror of the GitHub repository bitcoin/bips. This site is not affiliated with GitHub. Content is generated from a GitHub metadata backup.
generated: 2026-04-19 09:10 UTC
This site is hosted by @0xB10C
More mirrored repositories can be found on mirror.b10c.me